View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 30, 2023updated 27 Nov 2023 11:55am

Barts Health NHS Trust appears on BlackCat ransomware gang’s victim blog

Over 70TB of data has been stolen from one of NHS England's largest hospital trusts, the criminals claim.

By Claudia Glover

The Barts Health NHS Trust has appeared on the dark web victim blog of notorious Russian ransomware gang BlackCat. The gang claims to have stolen over 70TB of sensitive data in a cyberattack, including CVs and financial reports, as well as internal hospital information.

Barts NHS Trust, which includes the Royal London Hospital, appears on BlaclCat’s victim blog. (Photo by Tupungato/Shutterstock)

The criminals have set a July 3 deadline for the trust to co-operate, but details of any ransom demand have not been published

Barts Health NHS trust cyberattack? Hospitals appear on BlackCat blog

Barts Health NHS Trust is a collection of six hospitals and ten clinics in East London. It includes The Royal London Hospital, St Bartholomew’s Hospital, Whipps Cross Hospital, Newham Hospital and Mile End Hospital. The trust oversees the care of over 2.5 million citizens

The trust appeared on the dark web blog today. BlackCat has said that it has copied 70TB of data, but there is no mention of a decryption key being available. This could mean the gang has not encrypted the information in an effort to quickly extort the hospital, a technique that is becoming increasingly popular among cybercriminals. 

BlackCat, also known as ALPHV, has said on the blog that the gang has gained access into a multitude of data points, and that it will release the data should the trust not engage in negotiations.

The gang claims to have “citizens’ confidential documents,” including personal and financial information.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Like many parts of the NHS, the health service’s cybersecurity is in need of investment, and speaking to Tech Monitor in March, Jonathan Bridges, chief innovation officer at cybersecurity vendor Exponential-e, said obtaining funding for tech projects was often tricky.

“It’s very difficult for the NHS to prioritise spend on new technology,” Bridges said. “That’s why its systems have become outdated and vulnerable in many cases, and the government’s new strategy to protect the NHS from attack is so urgently needed.”

Jon DiMaggio, chief security strategist at Analyst1, said that if data has fallen into BlackCat’s hands, it will be patients who suffer.

“It’s unfortunate, but what they will do is repurpose that data for identity theft for financial purposes,” DiMaggio says. “They’re going to want to use it for obtaining new lines of credit, credit cards, loans. There are all sorts of financial scams they can do with it.”

This data will either be auctioned off to the highest bidder or, failing that, packaged off to a dark web credentials market, he added.

Tech Monitor spoke to a member of the Barts Health NHS Trust IT team, who was unaware of any attack having taken place. NHS England has also been approached for comment.

BlackCat, also known as ALPHV, is a Russian ransomware-as-a-service gang, meaning its malware is available for other cybercriminals to buy and use. It is thought to have links to other infamous groups like REvil, BlackMatter and DarkSide. 

In fact, the gangs are more similar than previously thought, explains DiMaggio. “Four of the six people [in BlackCat] are from DarkSide, the gang that was part of the Colonial Pipeline attack that happened in 2020,” he says. Ransomware gangs often change identity to try and escape the gaze of law enforcement agencies.

Previous victims of BlackCat include the Ecuadorian Army, US defence contractor NJVC and two German oil companies.

According to a recent report by security company Veronis, 90% of the gang’s victims end up paying the ransom, which typically ranges from $400k-$3m in cryptocurrency.

First observed in action in November 2021, BlackCat initially made headlines due to its use of the Rust programming language, which makes it difficult to find ways to neutralise its malware.

Read more: BlackCat posts luxury watchmaker Seiko to its victim blog

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.