Social care organisation Aspire falls victim to data ransom attack
Thousands of files belonging to an organisation that provides homelessness services to vulnerable groups across Glasgow have been posted online in a “sickening” cyber attack.
Glasgow-based Aspire was targeted by criminals who dumped a vast tranche of its corporate information, including the personal information of employees and clients, on a dark web forum after the organisation refused to pay its ransom demand.
Conti, the ransomware group responsible for the attack, is the same that hit the Scottish Environment Protection Agency (SEPA) in a Christmas Eve hack, which left the organisation locked out of its network.
Police Scotland said that the incident was believed to have occurred on April 2 and was reported to them a day later, triggering a multi-agency response.
Detective Inspector Michael McCullagh, Cybercrime Investigations Unit, Police Scotland, said: “We are investigating a cyber incident at Aspire, Glasgow, which was reported to police on Saturday, 3 April, 2021.
“Enquiries are ongoing and we are working closely with Aspire, their IT support, and the wider UK Cyber Law Enforcement network.
“We are aware of the publication of data and are supporting Aspire to help those affected by the sickening actions of these criminals. This continues in conjunction with Police Scotland’s Cyber Harm Prevention colleagues.”
The Conti gang released 19,571 files belonging to Aspire – which is an employee-owned organisation – on its underground web ‘blog’, on which it warns in broken English: “If you are a client who declined the deal and did not find your data on cartel’s website or did not find valuable files, this does not mean that we forgot about you, it only means that data was sold and only therefore it did not publish in free access!”
The files contain private details of employees’ salaries, personal details of clients in receipt of services and email correspondence between senior members of the organisation, including its chief executive and senior management team.
The ransomware attackers published 100% of Aspire’s data on April 23, around three weeks after the attack, which follows a similar pattern to how they deployed the so-called ‘double extort’ technique against SEPA. This method involves shutting the victim out of its network, and stealing data to exact additional leverage in trying to force payment, usually demanded in Bitcoin.
Ultimately, the attempt more than likely failed as only successful extortions go unpunished in releasing stolen data of victims.
Jude McCorry, chief executive of the Scottish Business Resilience Centre (SBRC), said: “There are many ways including ransomware a business can experience a cyber security incident, with varying levels of complexity and disruption. Cyber incidents can occur through deliberate targeting, or even human error, the end result is the same, a disruptive effect on business operations.
“At SBRC, we are working in partnership with Police Scotland and Scottish Government running the UK’s first collaborative cyber incident response helpline for organisations in Scotland.
“If you think that you are a victim of a cyber attack your first call should be to Police Scotland on 101 to report the crime (whilst respecting your IT systems as a crime scene) and our incident response helpline on 01786 437472, we will assist you with immediate support and expert guidance, and ensure you are speaking to the correct agencies and organisations to help you feel supported and get you back in operation securely.”
In a statement on its website Apsire said: “On Friday 2 April 2021, we discovered that the Aspire server had been the victim of an apparent ransomware attack. We took immediate action to limit the impact of this incident. We have been working closely with multiple agencies including Police Scotland, this is an active investigation.
“Aspire services have been uninterrupted. We will work closely with all colleagues, staff and supported individuals in the coming months to minimise any potential impacts.
“We will continue to take expert advice to assist us in effectively dealing with this crime against Aspire.”