INC Ransom claims responsibility for attack on NHS Scotland

Sensitive documents dumped on leak site amid claims of 3 TB of data stolen in total

NHS Scotland says it managed to contain a ransomware group's malware to a regional branch, preventing the spread of infection across the entire institution.

The INC Ransom group this week claimed responsibility for the assault on 'NHS Scotland', saying it stole 3TB worth of data while leaking a small number of sensitive files.

NHS Scotland is the national branch of the UK's National Health Service and looks after the 14 Scottish regions, including NHS Dumfries and Galloway, which announced a serious cyberattack earlier this month.

"We are aware of some data published on the web that is linked to the recent cyber-attack on NHS Dumfries and Galloway," a Scottish government spokesperson told The Register.

"This incident remains contained to NHS Dumfries and Galloway and there have been no further incidents across NHS Scotland as a whole.

"The Scottish Government is working with the health board, Police Scotland and other agencies including the National Crime Agency and National Cyber Security Centre to assess the level of this breach and the possible implications for individuals concerned.

"The Scottish Government is continuing to provide support to NHS Dumfries and Galloway as they deal with this ongoing situation. This remains an ongoing police investigation."

In typical fashion for modern-day ransomware and extortion groups, INC has published a snippet of the alleged total 3TB of data it stole from the healthcare group.

The data types that appear to be in the hands of cybercriminals include patients' medical test results (adults and young children), medication information, and their full names and home addresses. The full names and contact details of medical professionals are also visible.

This dump of data could suggest criminals behind the attack have grown less confident in their ability to get a ransom payment, so have publicized the attack to pressure the victim, per the double extortion playbook.

It is, of course, the UK's official recommendation that victims do not pay ransoms, although it isn't against the law to do so, unless the criminals are on a sanctions list.

Many of the documents clearly reference NHS Dumfries and Galloway. Despite originally disclosing an incident on March 15, NHS Dumfries and Galloway have not acknowledged the incident as ransomware, instead describing it as a "focused and ongoing cyberattack."

Prior to Wednesday's response to INC Ransom's claims, the most recent update posted to its dedicated cyberattack information page was dated March 19, confirming that systems were running as normal but investigations into the incident were ongoing. 

"As you would expect, this has been viewed as an extremely serious matter demanding a major response," said Jeff Ace, chief executive at NHS Dumfries and Galloway at the time.

"Over recent days we've been very busy working with partner agencies to ensure the security of our systems, to adapt to the associated disruption, and to assess the potential risk posed by the hackers' ability to access data.

"It must be noted that this is a live criminal investigation, and we are very limited in what we can say. In addition, a great deal of work is required in order to say with assurance what data may have been obtained, and we are not yet in that position.

"However, as it has been noted, there is reason to believe that those responsible may have acquired patient and staff-specific data.

"The NHS Board views patient and staff confidentiality as a key priority, along with ensuring welfare and wellbeing. As such, very great effort is being made to address this situation, and to try to prevent it from being repeated.

"We will look to update as and when we can, but in the meantime would again caution staff and patients to be on their guard for anyone accessing their systems, or anyone making contact with them claiming to be in possession of any information. Any such incidents should be reported immediately to Police Scotland on 101."

Per NHS Dumfries and Galloway's initial disclosure, the attackers were said to have acquired "a significant quantity of data" and there was "reason to believe that this could include patient-identifiable and staff-identifiable data."

A spokesperson for the UK's National Cyber Security Centre (NCSC) said in a statement: "We are working with law enforcement, NHS Scotland, and the Scottish government to fully understand the impact of an incident."

Deryck Mitchelson, global chief information security officer at Check Point and former NHS Scotland CIO said: "Healthcare is the perfect hunting ground for cybercriminals. It has a vast attack surface consisting of many disparate legacy and newer technologies and reliance on a large network of 3rd party suppliers. 

"The scale and complexity of services makes it very difficult to detect a breach, such as this one, until data has been exfiltrated or encrypted and critical services are impacted."

INC Ransom is a relatively new gang on the block, spinning up in July 2023 and posting targets indiscriminately, as researchers at SentinelOne put it.

Its biggest scalp to date is Xerox Business Solutions, a US subsidiary of tech giant Xerox. Formerly called Global Imaging Systems, its financials aren't publicly released, but prior to the Xerox acquisition in 2007, its annual revenues exceeded $1 billion.

INC has shown no restraint when it comes to choosing the types of victims it's willing to target. In its short stint on the ransomware scene, it has claimed attacks on organizations across healthcare, education, and even charities in some cases.

That said, very few cybercriminals exercise that level of restraint nowadays. Healthcare continues to be targeted by cybercriminals and ransomware baddies due to the critical nature of its services. If disruption can be caused, then theoretically there is a greater chance of a ransom being paid to regain full patient care capabilities.

The ALPHV/BlackCat gang took credit for the hugely impactful attack on Change Healthcare that disrupted services for weeks across February and March this year. Romania also dealt with a serious ransomware incident that affected more than 100 facilities in February too – just two recent examples of many that illustrate how consistently healthcare is targeted by cybercriminals.

The US is rising to the challenge though. DARPA recently added the Advanced Research Projects Agency for Health (ARPA-H) to its two-year cash-for-ideas competition that aims to find ways to secure code in critical infrastructure.

The Artificial Intelligence Cyber Challenge (AIxCC) was announced last summer and sees teams working to build tools that autonomously detect code issues in software used by organizations like hospitals and water treatment facilities – another prime target for cybercrime of late.

ARPA-H confirmed it's funneled $20 million into the rewards kitty for the AIxCC as it aims to help secure healthcare from attacks as damaging and disruptive as the one on Change Healthcare, which sent pharmacies back to pen and paper meaning patients couldn't collect their meds. ®

More about


Send us news

Other stories you might like