Two national health services, the NHS in the United Kingdom and the National Health Laboratory Services in South Africa, responsible for blood tests, have been targeted by cyber attackers in quick succession. Health care services are prime targets as the data they hold is highly valuable data, Blake Cahen from IronNet told NSN in an interview.  Cahen said that despite targeting health care services putting hackers on the map “in the worst way,” the data they gather is very valuable from a ransom perspective. There is also a high chance of actually receiving a ransom as critical services are impacted.

Chris Bateman, a South African medical editor and journalist found himself in the centre of the health care hack in the country when the hackers tried to establish him as an intermediary in negotiations for a ransom.  

The UK suffered what the former head of the National Cyber Security Centre, Professor Ciaran Martin, described as “one of the most serious cyber incidents in British history.” He told the BBC that he was horrified but not completely surprised, as ransomware attacks on healthcare are a major global problem.

The attack on the NHS targeted Synnovis, a pathology testing organisation, and was declared a critical incident, with 4,913 acute outpatient appointments and 1,391 operations postponed.

In South Africa, blood tests have also been severely affected after an attack on the country’s health laboratory service (NHLS).

Bateman said the hacker, speaking “in a heavy Eastern European accent,” identified himself as a middleman for Black Suit, an extortion operation that emerged in April/May 2023. The caller provided him with a link for the NHLS to pay the ransom. The hacker indicated that he wanted to discuss a way forward and said, “we can restored the data in a couple of hours. Otherwise it’s going to cost you millions of euros.”  

The NHLS has indicated that it would take three weeks for them to build in better grade anti-hack and anti-ransomware.  

Bateman received a second call over the weekend, where the hacker again wanted him to pass on a link and refused to answer any questions.  

South Africa’s crime investigation unit, the Hawks have since been in contact with Bateman as well to collect evidence.  

The impact of the South African hack, Bateman said was widespread and debilitating.  Blood and pathology tests are needed for anything from scans and radiology through to Tuberculosis (TB), and HIV/Aids. “We have some of the highest load in the world of both. Diabetes is also particularly dangerous. We have the second highest fatality behind TB for diabetes. For people with certain kinds of diabetes,” he said,” they need three blood tests a day or they can die in the more serious cases.”  

Across the board, Bateman said, whether it is an operation to check liver function or kidney function before an operation or viral loads, “blood is absolutely crucial and doctors are really, really upset.”  

Cahen noted that the hackers’ decision to target something as significant as a health provider, coupled with the lack of communication from the victim, the NHLS in this case, speaks volumes. “They just want the money and will release the data, but often they get nothing in return,” he said. “If they’re not getting that in communication, they’ll grow more frustrated and keep reaching out, doing anything they can to get that contact to hopefully get the ransom.”

Outdated IT systems have been blamed for the NHS cyber attacks. Prof Martin remarked that it is evident that parts of the NHS estate have outdated IT. Cahen mentioned it could take three weeks for systems like South Africa’s blood tests to get back online, adding, “It is going to be millions of dollars cheaper to just pay the ransom. It is hard not to go that route unless forced by the government or another entity.”

However, Cahen warned that organisations could face “secondary extortion” if vulnerabilities are not properly patched. “If you pay the ransom once, what would stop you from paying it again?”

The hackers responsible for the breach in South Africa identified themselves as Black Suit. Cahen said they were also involved in a significant attack against a software service company that provides software to car dealerships, causing a nationwide inability for car dealerships to sell cars. “They were supposed to get it back online this past week, but they fell victim to a second attack,” Cahen noted. “They’re going to target something with a wide impact to maximise the potential for a high ransom. In medical hacks, if you shut down something with critical impacts, you maximise the chance they’ll just pay to get operations back online.”

To avoid situations like the attacks on national pathology and blood services in the United Kingdom and South Africa, Cahen emphasised the importance of backups. “If you don’t have backups, you really have nowhere to go. Anything touching the internet or public-facing should be up to date and patched, and you should ensure your cybersecurity ecosystem is as protected and safeguarded as possible.” After a hack, incident response is critical.

“It is well known that once hackers get into the network, even if you pay the ransom, they could still be there, waiting a month, three months, six months, and then attack again and double extort you. You want to ensure they are out and understand completely how they got in so you can mitigate that vulnerability and prevent future breaches,” Cahen said.