Special Features

Black Hat and DEF CON

Barts NHS hack leaves folks on tenterhooks over extortion

BlackCat pounces on 7TB of data and theatens to release it


Staff at one of the UK's largest hospital groups have spent a nervous week wondering if private data, stolen from their employer's IT systems by a ransomware gang, is going to be splurged online after a deadline to prevent publication passed.

The theft was confirmed by Barts Health NHS Trust, which said it was "urgently investigating" the raid.

Some personally identifiable information belong to workers has already been leaked by the ransomware gang on its website as proof of the intrusion and exfiltration, including people's financial details, CVs, and copies of passports and driving licenses. It's not clear if or how much patient or medical data is involved. As one of hundreds of NHS trusts in the country, Barts manages five hospitals in the capital and says it serves about 2.5 million people.

The criminals behind the attack are the notorious BlackCat crew, aka AlphaV, who have lately made a habit of going after healthcare providers in search of sensitive data.

BlackCat, linked to the DarkSide Russian squad, is a so-called triple extortion operation. In its early days, it offered ransomware-as-a-service: affiliates would rent malware to infect machines, encrypting their files, and requiring a ransom to restore them.

In a double operation, which has quickly become popular, the computers aren't only scrambled, but pillaged beforehand for data, and the criminals then threaten to release the information unless payment is made. The triple turn is a more recent tactic, and sees individual victims whose data was exposed in the leak notified so they can pressure the source of the stolen data to pay up.

BlackCat has recently succeeded with attacks against big name orgs – taking data from Reddit, causing a rumble Down Under with an elite legal firm's records, and leaving red faces at Western Digital by rampaging through its servers.

In the case of the Barts NHS Trust in London it appears miscreants made off with as much data as possible – reportedly 7TB in all. The crooks threatened on June 30 to release it all unless contact was made about payment within three days. That deadline has now expired.

It appears the crew may have skipped the ransomware stage altogether and just gone for the data. There have been no reports of Barts hospitals suffering the kind of serious disruption a system-scrambling malware infection would cause, so this may just have been a simple smash-and-grab operation.

The UK's National Cybersecurity Centre said it was "working with Barts Health NHS Trust and partners to fully understand the impact of an incident." ®

Send us news
23 Comments

Cancer patient forced to make terrible decision after Qilin attack on London hospitals

Skin-sparing mastectomy and breast reconstruction scrapped as result of ransomware at supplier

Ransomware crews investing in custom data stealing malware

BlackByte, LockBit among the criminals using bespoke tools

Eldorado ransomware-as-a-service gang targets Linux, Windows systems

US orgs bear the brunt of attacks by probably-Russian crew

Not-so-OpenAI allegedly never bothered to report 2023 data breach

Also: F1 authority breached; Prudential victim count skyrockets; a new ransomware actor appears; and more

You had a year to patch this Veeam flaw – and now it's going to hurt some more

LockBit variant targets backup software - which you may remember is supposed to help you recover from ransomware

UK and US cops band together to tackle Qilin's ransomware shakedowns

Attacking the NHS is a very bad move

Big Tech's eventual response to my LLM-crasher bug report was dire

Fixes have been made, it appears, but disclosure or discussion is invisible

Avast secretly gave DoNex ransomware decryptors to victims before crims vanished

Good riddance to another pesky tribe of miscreants

Row erupts over data sharing function in UK doctor software

Union advises members to turn off features government introduced to allow third parties to update records

Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals

Cybercriminals claim they used a zero-day to breach pathology provider’s systems

Critical Windows licensing bugs – plus two others under attack – top Patch Tuesday

Citrix, SAP also deserve your attention – because miscreants are already thinking about Exploit Wednesday

Patelco banking services AWOL amid ransomware ruckus

Late fees? Don't worry, the credit union has you covered