News reaction: Threat group BlackCat claims attack on Barts NHS Trust

Earlier this week it was reported that Russian threat group BlackCat, also known as ALPHV, claimed the recent attack on Barts NHS Trust, one of England’s largest hospital trusts, which could expose data of 2.5 million patients.

Information from the Barts Health NHS Trust appeared on the dark web where the threat group claimed to have stolen over 7TB of sensitive data in what they claim is the "most bigger leak from health care system in UK (United Kingdom)" including passport information, credit card details, financial reports and more.

We caught up with our Threat Intelligence team to explore more around the group’s activity over the past year, including observations from our monthly Threat Pulse.

BlackCat/ALPHV ramps up its activity in 2023 with a specific focus on the healthcare industry

BlackCat/ALPHV are already more active in 2023 compared to 2022. Within the first half of 2023, they have compromised 209 victims, which is 6 less victims than they claimed in all of 2022 (215). The number of victims classified within healthcare is notable, with 2023 seeing 21 victims so far, compared to 8 in all of 2022. Other victims are found in government (5), academics (5) and other institutions (1), making up 5% of their total victim count.

Compared to the top three most successful ransomware actors of 2023, BlackCat/ALPHV has a relatively high number of victims classified within the healthcare industry:

• BlackCat/ALPHV: 10% (21)
• Cl0p: 8% (18)
• Lockbit 3.0: 5% (25)

Ransomware as a service (RaaS)

RaaS offerings contain at least two distinct elements, an operator, and an affiliate. The operators maintain the ransomware platform and develop its functions in accordance with the market demand. The affiliates make use of the ransomware platform and split the profit from successful attacks with the operators whose platform they use. The affiliates are the ones who find suitable targets, perform the necessary steps to gain the appropriate privileges, and levy their chosen ransomware strain against the victim. As such, a perceived focus on victims within the healthcare industry is not to be ascribed to the RaaS-operators. Furthermore, ransomware actors' motivation is thought to be mainly opportunistic. If a victim may be exploited with relative ease, they will do so. Alternatively, as their end-goal is the acquisition of funds, the benefit of successful extortion must outweigh the cost associated with an attack.

Conclusion

Although BlackCat/ALPHV has been active this year, and the percentage of healthcare victims is notably higher than 2022, further statements about BlackCat/ALPHV's focus or secondary motivation should be made cautiously:

• 10% remains a small percentage of their victims
• Other ransomware groups tally a comparable number of healthcare victims
• The RaaS-model makes it difficult to ascribe a focus or motivation to the ransomware platform’s operators
• The primary motivation for ransomware groups will always be monetary gain

Never miss a threat intelligence update - Sign up to receive free access to our premium threat intelligence service* here to receive high-level understanding of the threat landscape to support decision making.

*The trial will run from 1 July 2023 to 30 September 2023. During this period, you will receive enhanced intelligence from our dedicated team.