The Barts Health NHS Trust has appeared on the dark web victim blog of notorious Russian ransomware gang BlackCat. The gang claims to have stolen over 70TB of sensitive data in a cyberattack, including CVs and financial reports, as well as internal hospital information.

Barts NHS Trust, which includes the Royal London Hospital, appears on BlaclCat’s victim blog. (Photo by Tupungato/Shutterstock)

The criminals have set a July 3 deadline for the trust to co-operate, but details of any ransom demand have not been published

Barts Health NHS trust cyberattack? Hospitals appear on BlackCat blog

Barts Health NHS Trust is a collection of six hospitals and ten clinics in East London. It includes The Royal London Hospital, St Bartholomew’s Hospital, Whipps Cross Hospital, Newham Hospital and Mile End Hospital. The trust oversees the care of over 2.5 million citizens

The trust appeared on the dark web blog today. BlackCat has said that it has copied 70TB of data, but there is no mention of a decryption key being available. This could mean the gang has not encrypted the information in an effort to quickly extort the hospital, a technique that is becoming increasingly popular among cybercriminals. 

BlackCat, also known as ALPHV, has said on the blog that the gang has gained access into a multitude of data points, and that it will release the data should the trust not engage in negotiations.

The gang claims to have “citizens’ confidential documents,” including personal and financial information.

Like many parts of the NHS, the health service’s cybersecurity is in need of investment, and speaking to Tech Monitor in March, Jonathan Bridges, chief innovation officer at cybersecurity vendor Exponential-e, said obtaining funding for tech projects was often tricky.

“It’s very difficult for the NHS to prioritise spend on new technology,” Bridges said. “That’s why its systems have become outdated and vulnerable in many cases, and the government’s new strategy to protect the NHS from attack is so urgently needed.”

Jon DiMaggio, chief security strategist at Analyst1, said that if data has fallen into BlackCat’s hands, it will be patients who suffer.

“It’s unfortunate, but what they will do is repurpose that data for identity theft for financial purposes,” DiMaggio says. “They’re going to want to use it for obtaining new lines of credit, credit cards, loans. There are all sorts of financial scams they can do with it.”

This data will either be auctioned off to the highest bidder or, failing that, packaged off to a dark web credentials market, he added.

Tech Monitor spoke to a member of the Barts Health NHS Trust IT team, who was unaware of any attack having taken place. NHS England has also been approached for comment.

BlackCat, also known as ALPHV, is a Russian ransomware-as-a-service gang, meaning its malware is available for other cybercriminals to buy and use. It is thought to have links to other infamous groups like REvil, BlackMatter and DarkSide. 

In fact, the gangs are more similar than previously thought, explains DiMaggio. “Four of the six people [in BlackCat] are from DarkSide, the gang that was part of the Colonial Pipeline attack that happened in 2020,” he says. Ransomware gangs often change identity to try and escape the gaze of law enforcement agencies.

Previous victims of BlackCat include the Ecuadorian Army, US defence contractor NJVC and two German oil companies.

According to a recent report by security company Veronis, 90% of the gang’s victims end up paying the ransom, which typically ranges from $400k-$3m in cryptocurrency.

First observed in action in November 2021, BlackCat initially made headlines due to its use of the Rust programming language, which makes it difficult to find ways to neutralise its malware.

Read more: BlackCat posts luxury watchmaker Seiko to its victim blog