Scottish charity hit by cyber attack

Scottish charity hit by cyber attack

Image:
Scottish charity hit by cyber attack

'It is difficult to understand why anyone would deliberately try to disrupt the work of an organisation that is relied on by people at their most vulnerable', says CEO

The Scottish Association for Mental Heath (SAMH) has been hit by a cyber attack that disrupted its phone lines and email services.

The attack took place last Thursday, and has been claimed by the group RansomEXX, which reportedly posted 12 GB of stolen data, including unredacted photographs of driving licences, credit cards and passports, and personal data including the addresses and phone numbers of staff and volunteers on the dark web.

SAMH provides mental health support to adults and young people across Scotland.

"We are devastated by this attack. It is difficult to understand why anyone would deliberately try to disrupt the work of an organisation that is relied on by people at their most vulnerable," said CEO Billy Watson, in a statement on the charity's website.

The statement went on to say that communications are still disrupted and that the police are investigating.

"We will continue to take the best expert advice to assist us in effectively dealing with this situation," Watson said.

The RansomEXX ransomware gang, also known as (or at least closely associated) with Defray 777, emerged in 2017, but stepped up its activities in 2020, with victims including Konica Minolta, the Montreal transit system, the Texas Department of Transportation, the judiciary and aircraft manufacturer Embraer of Brazil, and computer components manufacturer Gigabyte.

It tends to go after large organisations, and attacking a small charity with limited means to pay would not be typical of its activities so far.

The RansomEXX malware strain is usually delivered by email in an infected Word document. If the recipient enables macros, as per a prompt, a malicious trojan is downloaded onto the user's machine, where it disables security software.

It is typically used in a multi-stage attack on Windows networks, although Linux version have also been seen by security researchers.