Ireland's HSE — Conti ransomware

What happened

On 14 May 2021 Conti ransomware encrypted core systems of Ireland’s Health Service Executive, the publicly funded body that manages almost all of the country’s health and social care services. The encryption hit simultaneously across thousands of servers and endpoints, taking down patient management systems, radiology and imaging infrastructure, laboratory information systems, and a wide range of clinical and administrative applications. Hospitals across Ireland reverted to paper and manual processes on the morning of 14 May and did not fully return to electronic operation for months.

The clinical consequences were severe and immediate. Chemotherapy appointments were cancelled because staff could not verify treatment protocols without access to patient records. Radiology departments could not deliver or share scan images electronically. Emergency departments operated without electronic patient notes, extending triage times. The HSE estimated that approximately 80,000 outpatient appointments and 3,000 cancer screening appointments were disrupted in the weeks following the attack. For a national health system already under pressure from the tail-end of the COVID-19 pandemic, the timing compounded an already strained environment.

The Irish government obtained a High Court order against the attackers and any entities handling the stolen data. Two days later, in an outcome without precedent in the ransomware ecosystem, Conti provided the HSE with a free decryption tool. The group stated it had not intended to disrupt healthcare and offered the decryptor as a gesture. The most credible explanation, supported by subsequent reporting, is that the global backlash had become too reputationally damaging within criminal circles for Conti to maintain the position. The decryptor unlocked encrypted files but did not repair the damage to infrastructure, configurations, and systems: rebuilding took the remainder of 2021.

A post-incident review commissioned by the HSE and conducted by PwC was published in full in December 2021. It is one of the most detailed public post-mortems of a major ransomware event ever released by a government body, and its findings directly shaped Ireland’s subsequent national cybersecurity investment programme.

How it worked

The PwC review established that the initial access vector was a malicious Microsoft Excel file attached to a phishing email, opened by an HSE employee on a workstation on 16 March 2021 — eight weeks before the ransomware deployed. The file contained a macro that, when enabled, dropped a Cobalt Strike beacon, a legitimate penetration-testing tool routinely weaponised by criminal and state-sponsored actors for post-exploitation activity.

From that initial foothold, the Conti affiliate spent eight weeks inside the HSE network conducting reconnaissance and lateral movement. The review identified a fundamentally flat network architecture as the critical enabling condition: there was no meaningful segmentation between the administrative network, regional hospital networks, and clinical systems. A foothold on one HSE endpoint was, in practice, a foothold with pathways to the entire organisation. During the dwell period, the attackers harvested credentials progressively, escalating to domain-administrator rights across multiple HSE Active Directory domains. They identified backup systems and staging environments, and exfiltrated approximately 700 GB of data before deploying ransomware.

The HSE had no security operations centre and no 24/7 monitoring capability at the time of the attack. The Conti beacon’s activity — including lateral movement, credential harvesting, and data staging — was not detected or acted upon over the eight-week preparation period. Antivirus products on some endpoints flagged activity, but no centralised process existed to aggregate and respond to those alerts. The PwC review described the HSE’s security posture at the time as inadequate relative to the scale and sensitivity of the infrastructure it was responsible for protecting.

Conti operated as a ransomware-as-a-service (RaaS) group, providing the malware, infrastructure, and negotiation support to affiliated operators who conducted individual attacks in exchange for a revenue share. The affiliate responsible for the HSE attack has not been publicly identified. Conti itself was subsequently disrupted following a leak of internal communications in February 2022 that exposed its membership, infrastructure, and operational playbooks.

Timeline

• 16 March 2021 — Phishing email with malicious Excel attachment opened by an HSE employee. Cobalt Strike beacon deployed on the workstation.
• March–May 2021 — Attacker conducts reconnaissance and lateral movement across HSE network. Credentials harvested, privilege escalation to domain admin across multiple domains. Approximately 700 GB of data exfiltrated.
• 14 May 2021 — Conti ransomware deployed across HSE systems in the early hours. HSE detects the attack and begins shutting down systems. Hospitals revert to paper processes.
• 14 May 2021 — HSE CEO Paul Reid confirms the attack publicly. The HSE advises all hospitals to shut down IT systems as a precaution.
• 16 May 2021 — Irish High Court grants emergency injunction preventing the use or distribution of HSE data.
• 20 May 2021 — Conti provides the HSE with a free decryption tool, citing that it had not intended to target healthcare.
• June–November 2021 — Phased restoration of systems across HSE hospitals and services. Outpatient and screening service backlogs managed.
• December 2021 — PwC post-incident review published in full. Total costs assessed at over €100 million.

What defenders should learn

The eight-week dwell period is the defining lesson of the HSE incident, and it was enabled entirely by the absence of centralised monitoring. Eight weeks of Cobalt Strike activity, lateral movement, credential harvesting, and data staging happened inside Ireland’s national health service without generating a single acted-upon alert. Security monitoring is not a technology purchase: it requires a security operations capability with people available continuously, processes for aggregating and prioritising alerts, and clear escalation paths. The HSE had none of those things. Every endpoint detection product generates noise; the value comes from the process that converts noise into a timely response. Without it, weeks of attacker preparation is invisible.

Network segmentation was the second systemic failure. The HSE’s flat architecture meant that a single phishing email on a non-clinical workstation was, within the attacker’s dwell window, a route to clinical systems across the entire country. A properly segmented network limits the blast radius of any intrusion: a compromised administrative endpoint should not have any pathway to patient-records systems in a hospital 200 kilometres away. Segmentation is not a one-time project; it requires sustained architectural investment and operational discipline to maintain. The PwC review recommended this as the single highest-priority remediation.

The Conti decryptor is a misleading comfort for the sector. The HSE obtained a free tool to unlock files and it still spent €100 million and most of a year rebuilding. Decryption is the smallest part of recovery from a sophisticated ransomware intrusion. The infrastructure damage, the need to validate that no backdoors remain in rebuilt systems, the re-provisioning of thousands of endpoints, and the revalidation of clinical data integrity dwarf the file-unlocking step. Organisations that imagine that paying the ransom or obtaining a decryptor resolves the situation are wrong.

Finally, the PwC post-mortem itself is a public good of the highest order. Publishing the full report without redaction gave every comparable organisation — national health services, hospital groups, healthcare IT operators — a detailed blueprint of exactly how a Conti affiliate operates, precisely which security controls were missing, and what a proportionate remediation programme looks like. The Irish government’s decision to publish without redaction should be the model for government-sector post-incident transparency.