Ransomware strikes Scottish mental health charity

Ransomware on a red screen
(Image credit: Shutterstock)

The ​​Scottish Association for Mental Health (SAMH) has confirmed that it has fallen victim to a ransomware attack that has affected its IT systems, including email and some phone lines.

SAMH confirmed to IT Pro that the attack had taken place but is still working to fully understand the incident.

"SAMH is currently dealing with an IT incident, which is affecting our colleagues’ ability to receive and respond to emails across both our national and local service locations,” a statement on its website reads. "Some of our national phone lines are also affected.

“Our local services are still reachable by phone and continue to support service users across Scotland.”

Cyber security researcher Soufiane Tahiri spotted a dark web data dump containing more than 12GB worth of data belonging to the charity on Monday. The gang behind the RansomEXX ransomware strain claimed responsibility by adding SAMH to its victim list.

The data includes sensitive information such as names address, email addresses, and passport scans. Onlookers have described the attack on the charity as “disgusting”.

"We are devastated by this attack," said Billy Watson, chief executive at SAMH to IT Pro. "It is difficult to understand why anyone would deliberately try to disrupt the work of an organisation that is relied on by people at their most vulnerable.

"Our priority is to continue to do everything we can to deliver our vital services. My thanks to our staff team who, under difficult circumstances, are finding ways to keep our support services running to ensure those they support experience as little disruption as possible.

"We are working closely with various agencies including Police Scotland - this is an active investigation. We will continue to take the best expert advice to assist us in effectively dealing with this situation."

IT Pro has asked SAMH for further clarity on the number of individuals affected by the breach and how long it expects disruption to last. This story will be updated when new developments are revealed.

The RansomEXX ransomware was first observed in 2018 but came to prominence in 2020 after a number of high-profile attacks on government departments like the Texas Department of Transportation.

Analysing the ransomware in 2021, cyber security company Cybereason said RansomEXX is typically used in “multi-staged human-operated attacks targeting various government-related entities”.

The ransomware is known for disabling security products to more easily infect a target machine. RansomEXX started on Windows but has more recently evolved to operate a Linux variant too, Cybereason said, though the Linux variant is less complex and lacks certain functionality like disabling security products.


Improve security and compliance

Adopting an effective security and compliance risk management approach


RansomEXX is also a file-less ransomware strain, “usually delivered as a secondary in-memory payload without ever touching the disk”.

Other RansomEXX victims include Embraer, one of the largest aircraft manufacturers in the world, Japanese business technology company Konica Minolta, and Brazil’s court system in November 2020.

The cyber criminals behind RansomEXX have also been found to have been targeting flaws in VMware’s ESXi hypervisor in October 2020.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.