Cybercrime , Cybercrime as-a-service , Endpoint Security

RansomEXX Disrupts Scottish Association for Mental Health

Ransomware Group Leaks Stolen Data, Including Personal Information for Volunteers
RansomEXX Disrupts Scottish Association for Mental Health
SAMH's disruption alert (Source: SAMH website)

Yet another ransomware-wielding group of criminals has hit an organization in the health sector. This time, it's cybercrime group RansomEXX, which has been trumpeting an attack against the Scottish Association for Mental Health.

See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks

The crime gang says it has stolen more than 12GB of data from Glasgow, Scotland-based SAMH. Stolen data allegedly includes images of unredacted driver's license and passport details for volunteers and other individuals associated with the organization, which is a registered charity.

Security experts have condemned the attack on SAMH, calling it "heartless" and "dirty work."

It's not clear when the organization was first targeted. But on Friday, SAMH said it was dealing with an incident that had compromised its ability to send or receive emails, without specifying the nature of the disruption.

"Some of our national phone lines are also affected," SAMH said at the time, although its website and local phone numbers remained operational.

On Sunday, RansomEXX leaked 12.5GB of data it allegedly stole from SAMH, according to security firm BetterCyber.

The data was published in 26 downloadable files of 500MB each, according to a review of the leaks published by information security expert Graham Cluley.

Leaked information includes "unredacted photographs of individuals' driving licenses and passports; personal information such as volunteer home addresses and phone numbers; and - in some cases - even passwords and credit card details," Cluley says in a blog post.

Organization 'Devastated' by Data Leak

Billy Watson, who heads SAMH, says his organization is "devastated" by the attack. "It is difficult to understand why anyone would deliberately try to disrupt the work of an organization that is relied on by people at their most vulnerable," he says.

Watson says the attack on SAMH has left its services in disarray and forced the organization to find ways to keep the support services running with "as little disruption as possible," albeit with limited resources.

Redacted samples of leaked driver's licenses and passports (Source: Graham Cluley)

SAMH is working closely with several organizations, including Police Scotland, to investigate and remediate the attack. Citing the active investigation, Watson declined to offer further details about the attack.

Police Scotland did not immediately respond to Information Security Media Group's request for additional information. Attempts to reach SAMH were unsuccessful, apparently owing to its email capabilities and phone lines remaining disrupted.

Repeat Victim: Health Sector

Cybersecurity experts have condemned the attack, not least because it's against an organization in the health sector.

"You're not going to get paid a ransom by SAMH - they simply don't have the means to spend money on extortionists when they need every penny they can to support those with very real needs," Cluley says in his blog post. "Hand over the decryption keys to SAMH so they can restore their systems, and permanently erase the information you have stolen from them. If you have an ounce of decency within you, help the SAMH in their hour of need."

Likewise, Kevin Beaumont, a former Microsoft threat analyst who now heads the security operations center for Arcadia Group, has called on the criminals to give the mental health organization the needed decryption keys.

"RansomEXX … should provide the recovery keys for free ASAP if they're reading please," Beaumont says.

But whether such entreaties might lead to the group furnishing a free decryption tool remain to be seen. Many ransomware groups claim to not target the health sector, although at least some actively do so.

In practice, most ransomware groups appear to hit whoever they can - provided the targets are not in Russia or one of its close allies - and then to backtrack if the target proves to be inconvenient or embarrassing (see: Secrets and Lies: The Games Ransomware Attackers Play).

Remediation Is Never 'Free'

But even if some healthcare and government victims receive a "free decryptor" after supposedly being "inadvertently" hit, that won't magically repair the damage. Even with a working decryptor, remediating such attacks and rebuilding affected systems can be a lengthy, painful process.

In May 2021, for example, the Conti ransomware group hit Ireland's Health Service Executive. Soon thereafter, HSE received a free decryptor from the group. But patient care in the country remained significantly disrupted for months, owing to the time required to wipe and restore every affected system.

Executive Editor Mathew Schwartz contributed to this report.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.