A Russian cybercriminal gang BlackCat claims to have hacked into one of Britain’s most prominent hospital groups and threatens to release much of its sensitive data.
Barts NHS Trust Attacked by ALPHV/BlackCat
On June 30, Russian extortionist group BlackCat, aka ALPHV, claimed to have hacked into Barts Health NHS Trust, one of England’s most prominent hospital trusts. The group claims they stole seven terabytes of sensitive data, which could reveal data on 2.5 million patients. These include passport information, credit card information, and financial statements. In addition, BlackCat threatened to release citizens’ confidential data if Barts Trust did not contact the gang within three days about the cyberattack and data theft. Although the group disclosed some stolen information, including employees’ passports and licenses, the attackers did not mention the encryption key. This suggests that they probably did not use a ransomware program.
What is Barts NHS Trust?
Barts NHS Trust is the largest NHS Trusts in the UK. It operates five hospitals in London, serving over 2.6 million people in a diverse area. They use a clinical information system to improve efficiency and patient care. The system has helped with record storage, appointment booking, and patient communication. In 2016, BARTS implemented an infection control reporting system to reduce the risk of infection transmission. They also use SNOMED CT to identify smoking patients and refer them to a cessation program. So as you can see, such an organization is no joke, and attackers are both brave and confident. Or should I say “folly”?
A word or two about BlackCat Ransomware
As mentioned, BlackCat (ALPHV or Noberus) is a highly advanced and dangerous ransomware first detected in November 2021. While it has been a significant threat in 2021 and 2022, its impact has decreased. This is evidenced by a 28 percent drop in recorded infections in late 2022. BlackCat is the first considerable malware written in Rust, a programming language gaining popularity due to its high performance and memory safety. An additional feature of BlackCat is its ability to compromise both Windows- and Linux-based operating systems. The ransomware-as-a-service (RaaS) is operated by a group of Russian-speaking cybercriminals called ALPHV.
BlackCat’s campaigns often use a triple-extortion tactic, demanding ransom for the decryption of infected files, not publishing stolen data, and not launching denial of service (DoS) attacks. BlackCat has targeted approximately 200 enterprise organizations from November 2021 to September 2022. They focus on financial, manufacturing, legal, and professional services companies. However, it has also affected other industries. BlackCat are more active in 2023 than in 2022. They have already compromised 209 victims in the first half of 2023, slightly less than the 215 victims they claimed in 2022.
Interestingly, many of these victims are within the healthcare industry, with 21 victims in 2023 compared to only 8 in 2022. While BlackCat/ALPHV has more healthcare victims than Cl0p or Lockbit 3.0, all ransomware attacks involve two distinct elements: an operator and an affiliate. Operators maintain the ransomware platform, while affiliates use it to attack suitable targets and split the profits with the operators. Therefore, the focus on healthcare victims cannot be attributed solely to the RaaS operators. Additionally, ransomware actors are opportunistic and will exploit victims if deemed profitable.
