The UK’s St John Ambulance service says that it was hit by a ransomware attack earlier this week, but if the attackers hoped they might massively disrupt the volunteer first aid service then they’ll be massively disappointed.
According to an advisory published on the St John Ambulance website, the unnamed ransomware struck at 9am on Tuesday 2 July, but the issue was resolved within half an hour.
What did happen is that, temporarily, infected systems were not accessible, and data given by customers who had booked a place on training courses was locked. The charity says it does not believe that any information was stolen by hackers, and that other data related to cover supplies, events, ambulance operations, volunteering, volunteer, data, employee data, clinical data and patient data was not impacted.
My reading of this is that St John Ambulance did not have to pay hackers a ransom to recover access to the encrypted data, but instead were able to put in place emergency recovery plans to restore from unaffected backup systems. That’s in marked contrast to ransomware attacks that have hit American cities in recent weeks – which have resulted in extortionists being paid over a million dollars.
What we don’t know at present is just how the ransomware made its way onto the St John Ambulance systems. Was the service specifically targeted by hackers or was it part of a wider indiscriminate attempt to spread ransomware? Did hackers exploit a vulnerability to plant ransomware on the charity’s network, or did a member of staff simply click on a malicious link that had been spammed out?
St John Ambulance says that it has notified the police, Information Commissioner’s Office (ICO) and Charity Commission about the security incident.
The news that St John Ambulance had calmly resolved the incident within half an hour seems pretty impressive to me, and – together with the transparency they show in their disclosure – will hopefully reassure those who deal with the charity. If only all organisations and companies could put themselves in a recovery position so confidently.
Earlier this week, Lake City in Florida announced that, following a ransomware attack, it had fired its director of information technology. The city paid US $460,000 worth of Bitcoin to the attacker, and it’s estimated that full recovery could still be two weeks away.
"We are confident that data has not been shared outside St John Ambulance."
What data of mine has been affected?
• Name of the person who booked the course
• Name of the person who attended (where different)
• Course attended
• Contact details provided
• Where a certificate has been issued, a delegate name
• Any other special requirement information that you gave us on booking
• Course costs that you have been charged
• Course outcome
• Invoicing details
• Where relevant, driving licence data
Which is it?
That's the list of data that they believe was *encrypted* by the ransomware. They don't believe it was exfiltrated (normally ransomware attacks encrypt rather than steal data).
Yes, they could have been a little less ambiguous in their security notice.
Half an hour? There's the realistic consideration that the incident response process can happen TOO quickly.