Staff at one of the UK’s largest hospital groups have spent a nervous week wondering if private data, stolen from their employer’s IT systems by a ransomware gang, is going to be splurged online after a deadline to prevent publication passed.
The theft was confirmed by Barts Health NHS Trust, which said it was “urgently investigating” the raid.
Some personally identifiable information belong to workers has already been leaked by the ransomware gang on its website as proof of the intrusion and exfiltration, including people’s financial details, CVs, and copies of passports and driving licenses. It’s not clear if or how much patient or medical data is involved. As one of hundreds of NHS trusts in the country, Barts manages five hospitals in the capital and says it serves about 2.5 million people.
The criminals behind the attack are the notorious BlackCat crew, aka AlphaV, who have lately made a habit of going after healthcare providers in search of sensitive data.
BlackCat, linked to the DarkSide Russian squad, is a so-called triple extortion operation. In its early days, it offered ransomware-as-a-service: affiliates would rent malware to infect machines, encrypting their files, and requiring a ransom to restore them.
In a double operation, which has quickly become popular, the computers aren’t only scrambled, but pillaged beforehand for data, and the criminals then threaten to release the information unless payment is made. The triple turn is a more recent tactic, and sees individual victims whose data was exposed in the leak notified so they can pressure the source of the stolen data to pay up.
BlackCat has recently succeeded with attacks against big name orgs – taking data from Reddit, causing a rumble Down Under with an elite legal firm’s records, and leaving red faces at Western Digital by rampaging through its servers.
In the case of the Barts NHS Trust in London it appears miscreants made off with as much data as possible – reportedly 7TB in all. The crooks threatened on June 30 to release it all unless contact was made about payment within three days. That deadline has now expired.
It appears the crew may have skipped the ransomware stage altogether and just gone for the data. There have been no reports of Barts hospitals suffering the kind of serious disruption a system-scrambling malware infection would cause, so this may just have been a simple smash-and-grab operation.
The UK’s National Cybersecurity Centre said it was “working with Barts Health NHS Trust and partners to fully understand the impact of an incident.” ®