ST. JOHN'S, N.L. — Details released this week about Newfoundland and Labrador’s efforts to recover from a cyberattack on its health-care system provide clues about the incident and how the government may have responded, experts say.
David Diamond, head of Newfoundland and Labrador's largest health authority, told reporters Tuesday that the systems taken out in the Oct. 30 cyberattack were being "rebuilt from scratch, from backups."
Brian Honan, a cybersecurity consultant and former special adviser to Europol’s Cyber Crime Centre, said when victims of ransomware attacks have to completely rebuild systems, it's typically because they did not obtain a decryption key from the perpetrators — or the key they received doesn't work as expected.
Mark Sangster, vice-president of industry security strategy at eSentire, a cybersecurity firm in Waterloo, Ont., said officials may have decided to rebuild the systems because they wanted to be sure the hackers hadn't left behind any hidden back doors through which they might enter again.
It's an expensive and arduous job to take on, he added. "When you rebuild from scratch, I can tell you that's a brave decision to make and one that companies or organizations don't take lightly," Sangster said in an interview Wednesday.
Ransomware is a type of software often used in cyberattacks. Hackers break into a network and then trigger the software to encrypt data. The hackers then demand a payment in exchange for a key that would decrypt the data, thus holding the network and its users hostage.
The Newfoundland and Labrador government has been tight-lipped about the attack on its health-care networks, refusing to say if it has been in contact with the perpetrators, if a ransom has been demanded or paid, or even if the attack involves ransomware at all.
They also have not said if any data was lost, though Honan said there likely was if systems are being rebuilt from backups.
"When you restore from your backup, you're restoring from the point of time the backup was done," he said in an interview Wednesday. "Any data or any information that would have changed, updated or added since the backup was done would be lost."
Officials confirmed Tuesday the hackers stole personal information from health-care employees or patients in all four of the province's health regions as well as social insurance numbers belonging to 2,514 patients — 1,025 of whom are still alive. Diamond said those social insurance numbers were likely collected by mistake.
"I challenge that statement," Sangster said, adding that the health authority is on the hook for collecting the data in the first place, whether it was a mistake or not. "Whether or not you need it, whether or not you use it every day, that's just inexcusable."
Both Honan and Sangster questioned the Newfoundland and Labrador government's choice to reveal so little about the attack and its orchestrators. Sangster said he believes the Conti ransomware gang is behind the attack.
Conti launched a ransomware attack against Ireland's health-care system in May that experts have compared to the one against Newfoundland and Labrador. The hackers got in when an unsuspecting worker clicked on an Excel spreadsheet attached to an email, according to a report released last week by Ireland's Health Service Executive.
The Irish government promptly and publicly denounced the attack and said they would not pay a ransom. The perpetrators handed over a decryption key without payment, and within two months of the attack, 94 per cent of the affected servers were decrypted, the report says.
Honan, who is chief executive officer of cybersecurity firm BH Consulting in Dublin, said that kind of transparency helped reassure people. "It also enabled other health-care providers around the world to learn from the HSE so that they could better protect their own systems," he added.
This report by The Canadian Press was first published Dec. 15, 2021.
Sarah Smellie, The Canadian Press