Hammersmith Medicines Research (HMR) in London takes pride in their record as specialists in pharmacology phase 1 and early phase 2 clinical trials — the kinds of trials that are needed before new medications can be approved for use by the public — and the kinds of trials that will be needed if new therapeutics are being tested to treat COVID-19. Like other clinical testing entities, HMR is on standby to start testing once some therapeutics or potential vaccines are ready for testing.
But then along came some cybercriminals who decided that they would be a good target to attack with ransomware. On March 14, HMR was attacked by Maze Team, who exfiltrated a copy of their data and then locked up everything and demanded a ransom to provide the a decryption key.
Even though the attack was on a Saturday, HMR was able to halt it and restore their computer systems and email by the end of the day. They did not pay the ransom, and their managing and clinical director would later tell ComputerWeekly that they had no intention of paying.
“I would rather go out of business than pay a ransom to these people,” he said.
On March 18, Maze Team issued a press release, stating that until the pandemic eased up, they would not attack the medical sector. On March 19, I emailed Maze Team to commend them on that and to ask if they would give HMR the decryption keys and help restore them (at that point, we did not know that HMR had been able to restore services on their own). I received no reply that day or the next.
On March 21, Maze Team dumped some of HMR’s data — data that revealed a lot of personal and medical information about some of the volunteers in their studies.
To say that Maze Team got blasted by the media and anyone who heard about the data dump would be somewhat of an understatement.
In response, Maze Team issued yet another press release, claiming that because the attack had occurred *before* their March 18 pledge, that pledge did not apply. Their argument did not persuade anyone, but after a day or so, they did remove the data dump from public access and marked the space as temporarily removed. The data is still removed as of today.
This week, HMR published a copy of their notification to volunteers.
It may be one of the most transparent and clearly written notifications I have ever read — and that is saying a lot. They write, in part:
We’re sorry to report that, during 21–23 March 2020, the criminals published on their website records from some of our volunteers’ screening visits. The website is not visible on the public web, and those records have since been taken down. The records were from some of our volunteers with surnames beginning with D, G, I or J. The records were scanned copies of documents and results we collected at screening, including name, date of birth, identity documents (scanned passport, National Insurance card, driving licence and/or visa documents, and the photograph we took at the screening visit), plus health questionnaires, consent forms, information from GPs, and some test results (including, in a few cases only, positive tests for HIV, hepatitis, and drugs of abuse).
Even if your records weren’t among those that were published, the criminals might have stolen copies of them.
I think it’s pretty much certainly the case that Maze Team did get more data than what they dumped, as their next step would have been to dump more data. They wouldn’t have shown all their cards in their first data dump.
So will Maze dump more of their data at some point? Obviously, I hope they don’t. They have to know when a victim is not going to pay them. They can choose to be punitive and try to rationalize it that it is a warning to future victims, or they can just close the book on that one and walk away.