It appears that RansomExx threat actors have hit the Scottish Association for Mental Health (SAMH).
On March 18, SAMH posted a notice on its website. The full notice says it was dealing with an “I.T incident, which is affecting our colleagues’ ability to receive and respond to emails across both our national and local service locations. Some of our national phone lines are also affected.”
The March 18th notice does not call it a ransomware incident or indicate that there has been any exfiltration of data. On March 20, the threat actors started leaking data. The initial proof of claim includes some image files with personally identifiable information, credit card information, some login credentials to their system, and even the personal information of a volunteer.
The full data leak is more than 12.5 GB of files in a 26-part archive. Yesterday, SAMH issued an updated statement:
“We are devastated by this attack. It is difficult to understand why anyone would deliberately try to disrupt the work of an organisation that is relied on by people at their most vulnerable.
“Our priority is to continue to do everything we can to deliver our vital services. My thanks to our staff team who, under difficult circumstances, are finding ways to keep our support services running to ensure those they support experience as little disruption as possible.
“We are working closely with various agencies including Police Scotland – this is an active investigation.
“We will continue to take the best expert advice to assist us in effectively dealing with this situation.”
SAMH communications are currently disrupted. Please see our previous announcement for more details.
Inspection of the data dump revealed that in addition to routine business internal documents including invoices and some banking, there were numerous files containing personal information of employees and volunteer staff, including their names with mobile telephone numbers, supervision and evaluations, and some grievance proceedings. DataBreaches.net noted that the data was organized by drives. Drives D, E, and F were in the dump. Those drives, while they contained Human Resources files, did not appear to contain databases with client information or weekly payroll information for employees. Whether the RansomExx also got those files and held them back from dumping is unknown to this site, but there was limited identifiable information on clients in the data dump that DataBreaches.net has seen so far. Apart from some case studies with details, most references to clients were by clients’ initials or first initial plus last name, and limited to notes from handovers between staff, and in one case, an incident report involving police.
This post will be updated if more information becomes available.