Jakub Jirsák - stock.adobe.com

Ransomware gang leaks data stolen from Scottish NHS board

Data stolen from an earlier attack on NHS Dumfries and Galloway has been leaked by a ransomware gang that claims to be in possession of much more content

The scope of a recent cyber incident at NHS Dumfries and Galloway, which initially came to light earlier in March 2024, may be on the verge of expanding to incorporate the wider Scottish health service, after a cyber criminal operation going by the name Inc Ransom claimed to be in possession of three terabytes of data purloined from NHS Scotland.

In a dark web posting, Inc Ransom claimed to have stolen data on over 140,000 clinical and back office staff working across the NHS in Scotland, and threatened to publish it “soon”. As is standard practice, it also posted a number of supposedly stolen items as proof. This small data dump is understood to include sensitive information including medical reports and letters to patients.

NHS Dumfries and Galloway, which serves communities in south-western Scotland, first acknowledged it had fallen victim to a “focused and ongoing” cyber attack on 15 March, and engaged at that point with various bodies including Police Scotland, the Scottish government and the UK’s National Cyber Security Centre (NCSC).

It said at the time there may be some disruption to frontline services, and noted the risk that its attackers may have stolen sensitive data.

In a new update, NHS Dumfries and Galloway said it was aware that clinical data relating to a “small number of patients” had been published following the attack on its systems. “We absolutely deplore the release of confidential patient data as part of this criminal act,” said NHS Dumfries and Galloway CEO Jeff Ace. “This information has been released by hackers to evidence that this is in their possession … Patient-facing services continue to function effectively as normal.”

He said NHS Dumfries and Galloway will be reaching out to patients whose data is known to have been leaked, and that work is ongoing to limit any sharing of it.

“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population,” said Ace.

Most attacked sector

According to Check Point’s threat intelligence, healthcare is the third-most targeted industry by cyber criminals in the UK – despite the boasts of many ransomware gangs that they do not attack such organisations, an evident lie.

It said that considering how disruptive cyber attacks can be to critical care services, successful breaches in the NHS are much more impactful than in other industries, meaning the health service’s various components need to be at the top of their game.

Check Point global chief information security officer (CISO) Deryck Mitchelson, who was NHS Scotland’s CISO until 2022 and also sits on Scotland’s National Cyber Resilience Advisory Board (NCRAB), said: “Healthcare is the perfect hunting ground for cyber criminals. It has a vast attack surface consisting of many disparate legacy and newer technologies and reliance on a large network of third-party suppliers. The scale and complexity of services makes it very difficult to detect a breach, such as this one, until data has been exfiltrated or encrypted and critical services are impacted.

“A holistic cyber security strategy is needed that removes complexity, reducing the number of security products and controls in place,” he said. “In addition to substantial cost savings, this would deliver enhanced real-time visibility and a layer of preventative security, reducing the likelihood of a similar attack. Without embracing such a change, I fear we will continue to see major disruption to our most critical and vulnerable services.”

Inc Ransom

Inc Ransom is among a number of emergent ransomware operations that now seem to be filling the void left by recent law enforcement actions against the likes of ALPHV/BlackCat and LockBit. It first popped up in July 2023, and operates a standard double extortion practice – although it seems to shy away from the ransomware-as-a-service model for now. It’s a technically savvy operation, and like LockBit, enthusiastically leverages zero-day vulnerabilities.

Inc Ransom has tended to favour attacking organisations in the healthcare and education sectors, having named 20 victims so far in 2024.

Check Point researcher and software engineer Liad Dadash said the group’s claims to have attacked NHS Scotland were worth scrutiny.

“The cyber attack publicly disclosed by Inc Ransom on 26 March is reported to be associated with an ongoing investigation at NHS Dumfries and Galloway,” he said. “What we know is that many of the documents held by the cyber criminals appear to be from the same region of origin, adding credibility to the ransomware group’s assertions.”

Read more about ransomware

    Read more on Data breach incident management and recovery

    CIO
    Security
    Networking
    Data Center
    Data Management
    Close