Scottish social care organisation falls victim to ransomware gang

A Scottish social care organisation that provides services to the homeless has fallen victim to a “sickening” cyber attack that has seen thousands of its files – including the personal information of employees and clients – posted online.

Glasgow-based Aspire, which works with vulnerable groups across the city, has been targeted by a ransomware gang which dumped a vast tranche of its corporate information on a dark web forum, after the organisation refused to pay its ransom demand.

And it emerged that the ransomware group – Conti – is the same that hit the Scottish Environment Protection Agency (SEPA) in a devastating Christmas Eve hack, which left the organisation locked out of its network and from which it is still recovering.

The latest incident is part of a global surge in so-called ‘big game hunting’ ransomware attacks, which target organisations by revenue size in order to maximise profits in a lucrative criminal enterprise that has capitalised on corporate IT vulnerabilities during the Covid-19 pandemic.

Police said this afternoon that the incident was believed to have occurred on April 2 and was reported to them a day later, triggering a multi-agency response.

Detective Inspector Michael McCullagh, Cybercrime Investigations Unit, Police Scotland said: “We are investigating a cyber incident at Aspire, Glasgow, which was reported to police on Saturday, 3 April, 2021.

“Enquiries are ongoing and we are working closely with Aspire, their IT support, and the wider UK Cyber Law Enforcement network.

“We are aware of the publication of data and are supporting Aspire to help those affected by the sickening actions of these criminals. This continues in conjunction with Police Scotland’s Cyber Harm Prevention colleagues.”

The Conti gang released 19,571 files belonging to Aspire – which is an employee-owned organisation – on its underground web ‘blog’, on which it warns in broken English: “If you are a client who declined the deal and did not find your data on cartel’s website or did not find valuable files, this does not mean that we forgot about you, it only means that data was sold and only therefore it did not publish in free access!”

Among the files – which we are choosing not to publish – contain private details of employees’ salaries, personal details of clients in receipt of services and email correspondence between senior members of the organisation, including its chief executive and senior management team.

The ransomware attackers published 100% of Aspire’s data on Friday April 23, around three weeks after the attack, which follows a similar pattern to how they deployed the so-called ‘double extort’ technique against SEPA. This method involves shutting the victim out of its network, and stealing data to exact additional leverage in trying to force payment, usually demanded in Bitcoin.

Ultimately, the attempt more than likely failed as only successful extortions go unpunished in releasing stolen data of victims.

Jude McCorry, chief executive of the Scottish Business Resilience Centre (SBRC), said: “There are many ways including ransomware a business can experience a cyber security incident, with varying levels of complexity and disruption. Cyber incidents can occur through deliberate targeting, or even human error, the end result is the same, a disruptive effect on business operations.

At SBRC, we are working in partnership with Police Scotland and Scottish government running the UK’s first collaborative cyber incident response helpline for organisations in Scotland.

“If you think that you are a victim of a cyber attack your first call should be to Police Scotland on 101 to report the crime (whilst respecting your IT systems as a crime scene) and our incident response helpline on 01786 437472, we will assist you with immediate support and expert guidance, and ensure you are speaking to the correct agencies and organisations to help you feel supported and get you back in operation securely.”


Shutterstock.com/solarseven