News: 1732883086

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Ransom gang claims attack on NHS Alder Hey Children's Hospital

(2024/11/29)


Yet another of the UK's National Health Service (NHS) systems appears to be under attack, with a ransomware gang threatening to leak stolen data it says is from one of England's top children's hospitals.

The attack on Liverpool's Alder Hey Children's Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust is apparently unconnected to an ongoing cyber "incident" at [1]the Wirral University Teaching Hospital NHS Trust that is causing severe disruption at hospitals nearby.

The children's hospital also dispelled any possible links to the Wirral incident, ongoing since [2]earlier this week , which was allegedly carried out by rival ransomware crooks over at RansomHub.

[3]

INC Ransom, the group that claimed responsibility for an attack on NHS Scotland in June this year, now claims to have stolen data from Liverpool's Alder Hey Children's Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust.

[4]

[5]

The criminals published a limited sample of the allegedly stolen data, which includes the full names and addresses of supposed patients and donors, the amount of money said donors have given to the hospital, patients' medical reports (including unique hospital numbers and dates of birth), and financial documents.

They claimed the data goes back to 2018 and runs right up to 2024.

[6]

In a statement issued on Thursday, Alder Hey said: "We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust. We are working with partners to verify the data that has been published and to understand the potential impact.

"We are taking this issue very seriously and are working with the National Crime Agency (the NCA) as well as partner organizations to secure our systems and to take further steps in line with law enforcement advice as well as our statutory duties relating to patient data."

The Register reached out to Alder Hey and the NCA for additional information about the situation but neither immediately responded.

[7]

Just a few miles away and separated only by a narrow stretch of the River Mersey, the two attacks on the geographically linked Alder Hey and Wirral NHS Trusts is something of an anomaly. It's rare, but not unheard of, for NHS organizations to be attacked given the degree of disruption criminals can cause, but for two attacks to occur in the same week within a stone's throw of each other is very much an oddity.

Alder Hey said, unlike its neighbors in Wirral, that its services are operating as normal and no scheduled appointments or procedures were impacted.

[8]Mega US healthcare payments network restores system 9 months after ransomware attack

[9]Ransomware's ripple effect felt across ERs as patient care suffers

[10]LockBit shows no remorse for ransomware attack on children's hospital

[11]Lurie Children's Hospital back to pen and paper after cyberattack

The hospital is one of the largest and busiest of its kind in Europe, and deals with all manner of cases from minor to the most complex. Alongside London's Great Ormond Street Hospital, it's a pioneer in medical research and is among the most recognizable names in UK healthcare.

INC Ransom is the same band of scumbags that [12]attacked NHS Dumfries and Galloway back in March and in similar fashion to Alder Hey, it plastered a bunch of stolen data online as a means to dial up the pressure and have its extortion demands met.

The Scottish NHS Trust it attacked later [13]confirmed the criminals got their hands on 150,000 people's data after it refused to meet the gang's demands. INC Ransom allegedly stole up to 3TB worth of data from the Trust. ®

Get our [14]Tech Resources



[1] https://www.theregister.com/2024/11/28/wirral_nhs_cyber_incident/

[2] https://www.theregister.com/2024/11/26/third_major_cyber_incident_declared/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0nzLlPLBgOPLAjC-o7jQAAAAE4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0nzLlPLBgOPLAjC-o7jQAAAAE4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0nzLlPLBgOPLAjC-o7jQAAAAE4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0nzLlPLBgOPLAjC-o7jQAAAAE4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0nzLlPLBgOPLAjC-o7jQAAAAE4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/11/20/change_healthcares_clearinghouse_services/

[9] https://www.theregister.com/2024/10/24/ransomware_ripple_effect_hospitals/

[10] https://www.theregister.com/2024/02/01/lockbit_ransomware_attack_hospital/

[11] https://www.theregister.com/2024/02/05/lurie_childrens_hospital_cyberattack/

[12] https://www.theregister.com/2024/03/28/nhs_scotland_cyberattack/

[13] https://www.theregister.com/2024/06/18/nhs_dumfries_and_galloway_letter/

[14] https://whitepapers.theregister.com/



Martin Summers

Line them up against a wall and shoot. No mercy for vermin who attack healthcare in particular.

Re: No mercy for vermin who attack healthcare

cyberdemon

Tell that to the [1]IDF..

By April, WHO had verified 906 attacks on healthcare in Gaza, the West Bank, Israel, and Lebanon.[5] As of June 2024, according to WHO, Israel has attacked 464 health care facilities, killed 727 health care workers, injured 933 health care workers, and damaged or destroyed 113 ambulances [6]

Not to mention the number of children's hospitals blown up by Mad Vlad

Not trying to minimise the ransom scum here obviously, but just pointing out the much larger scale scummery coming from Israel and Russia that everyone seems to want to forget about these days

Tbh i'd guess this latest cyber scummery is probably linked to the above, i.e. either coming from Russia in revenge for the UK's support for Ukraine, or from Iran in revenge for the UK's support for Israel

[1] https://en.wikipedia.org/wiki/Attacks_on_health_facilities_during_the_Israel%E2%80%93Hamas_war

Re: No mercy for vermin who attack healthcare

Martin Summers

Completely agree with you. No doubt some of these places are being used as shields, but targeting them is not the answer. The innocent are never considered in matters of war or targeted attacks. It's easy to launch an attack from a far off place coldly and clinically and never see, understand or feel the hell unleashed.

Re: No mercy for vermin who attack healthcare

Anonymous Coward

"No doubt some of these places are being used as shields, but targeting them is not the answer".

Agreed - using civilians as a human shield is cowardly and despicable, but choosing to smash through that shield *anyway* to get at the people behind it is grotesque.

Doctor Syntax

"Line them up against a wall and shoot."

First get your hands on them.

Serious rewards for information leading to arrest might help. If it happened that a necessary preliminary were abduction from somewhere where arrest is not feasible to somewhere where it is, so be it.

Private networks

tip pc

These systems should be interconnected via private networks, not generally available via the internet.

Remote access should be to hosted virtual desktops etc with strong security & limited access etc.

in my time in government all our sites where interconnected via frame relay then private mpls, Internet break out was via 2 main sites only via proxies etc.

Its still possible to get private mpls circuits and also hop across privately to the big databarns like aws/azure/gcp etc without making those systems directly addressable to the general internet.

its possible that the hospitals are connected privately and the miscreants came in over the internet & exfiltrated / caused their mayhem that way but less likely especially if good internet access controls are used.

its time a government security department ensured high standards of security for these systems & could swoop in to take control when things like this happen.

i guess there is this

https://www.npsa.gov.uk

https://www.security.gov.uk/policy-and-guidance/secure-by-design/principles/

& the good practice guide in what ever form its in now.

S4qFBxkFFg

We need a law against ransom payments (or more generally, paying anyone known to be committing serious crime), one which doesn't have any loopholes for the various "consultants" who take advantage of the victims.

There would need to be rewards for whistleblowers too. The idea would be to make it impossible for any organisation, private or public, to make a substantial ransom payment without the risk that (for example) a low-level finance employee will notice something funny and report it for the reward.

Wang Cores

Attacking a children's hospital is literally villain shit.

What next, we gonna have an epidemic of weirdoes tying women to thoroughfares and twirling their mustaches while doing so?

Gay shlafen: Yiddish for "go to sleep".

Now doesn't "gay shlafen" have a softer, more soothing sound than the
harsh, staccato "go to sleep"? Listen to the difference:
"Go to sleep, you little wretch!" ... "Gay shlafen, darling."
Obvious, isn't it?
Clearly the best thing you can do for you children is to start
speaking Yiddish right now and never speak another word of English as
long as you live. This will, of course, entail teaching Yiddish to all
your friends, business associates, the people at the supermarket, and
so on, but that's just the point. It has to start with committed
individuals and then grow....
Some minor adjustments will have to be made, of course: those
signs written in what look like Yiddish letters won't be funny when
everything is written in Yiddish. And we'll have to start driving on
the left side of the road so we won't be reading the street signs
backwards. But is that too high a price to pay for world peace?
I think not, my friend, I think not.
-- Arthur Naiman, "Every Goy's Guide to Yiddish"