BlackCat gang claims cyber attack on Barts NHS Trust

Investigations continue into a claim by the ALPHV/BlackCat ransomware gang that it has stolen 7TB of data from Barts NHS Trust in London

Alex Scroxton,
Security Editor

Published: 03 Jul 2023 15:15

The Russian-speaking ALPHV or BlackCat ransomware operation has named Barts NHS Trust on its dark web leak site, claiming to have exfiltrated 7TB of data from the group, but almost three days after news of the incident came to light, its precise nature and circumstances remain unclear.

The dark web posting was made on the afternoon of Friday 30 June, and a copy of the notice has since been reviewed by Computer Weekly. It is written in typically broken English, and claims to be the “most bigger leak from health care system in UK”.

The gang said: “You have 3 days for contact with us to decide this pity mistake, which made your IT department, decide what to do in next step. If you prefer to keep silence, we will start publicate data, most of it – citizens confidential documents [sic]”.

The data dump allegedly includes personally identifiable information (PII) on clinicians and Trust employees, including CVs and social security numbers (presumably referring to National Insurance), as well as financial reports, accounting and loan data, and insurance agreements. It also supposedly includes client documentation and credit card data.

A successful ransomware attack on an NHS Trust such as Barts, which operates five major London sites – St Bartholomew’s Hospital, The Royal London Hospital, Mile End Hospital, Whipps Cross Hospital and Newham Hospital – serving more than 2.5 million people – would have caused significant disruption and made national headlines.

The fact this has not happened could indicate that ALPHV/BlackCat has not deployed any ransomware on Barts’ systems at all. This is now a common tactic, as like any legitimate organisation, financially motivated cyber crime gangs will try to take the path of least resistance to maximise the potential return on their “investment”. Lately, this has been evidenced by Clop’s ongoing attacks on users of the MOVEit file transfer product.

Alternatively, it could suggest that the gang was interrupted and evicted from Bart’s systems after it had exfiltrated data but before it had executed its locker.

Speaking before the weekend, a Barts’ spokesperson merely confirmed that the organisation was aware of the claims and was investigating “as a matter of urgency”.

Its press office had not responded to a request for further comment at the time of writing. Almost 72 hours after the gang first posted Barts’ name online, there remains no public evidence, other than its word, to support its claims.

Long-running operation

The ALPHV/BlackCat operation, which also goes by Noberus and is thought to have links to earlier operations such as BlackMatter, the DarkSide gang that attacked Colonial Pipeline in 2021, and possibly REvil, is itself one of the longer-established players in the Russian cyber criminal underground.

It formerly operated a malware known as Carbanak, which targeted banks and was likely used to steal close to $1bn over the course of its shelf life.

Since pivoting to ransomware, ALPHV/BlackCat has emerged as a highly dangerous operator, coming to prominence in the first two months of 2022 with a series of attacks on fuel and transport infrastructure operators.

This year, it is known to have targeted the systems of storage firm Western Digital, taking its MyCloud and SanDisk services offline for nearly a fortnight in May, and multinational payment giant NCR, which was hit in April and caused service problems for hospitality organisations using its Aloha point-of-sale platform.

Read more on Hackers and cybercrime prevention

Threat actors leverage kernel drivers in new attacks