Rhysida ransomware gang hits hospital holding royal family’s data

The Rhysida ransomware operation behind the unfolding cyber attack on the British Library has struck the private King Edward VII Hospital in central London, from which it claims to have stolen data on the royal family, among other things.

The gang announced the attack via its dark web leak site last week, and posted images of documents supposedly in its possession, which appear to include copies of x-rays, medical reports, prescriptions and registration forms.

In line with its usual modus operandi, the ransomware operator is offering the stolen data for sale, with a price set at 10 bitcoin – approximately £300,000 at prevailing prices. That it has taken this step implies that the hospital has declined to negotiate a ransom.

If no buyer takes up the offer within seven days of the initial announcement, Rhysida has threatened to make the data publicly available. That deadline will pass on Tuesday 5 December.

The gang’s boast that a quantity of this data relates to the British royal family has not been verified and, like any claim made by cyber criminals, should be treated with extreme suspicion.

Computer Weekly understands that the royal family’s personal data is subject to particularly stringent cyber security controls and any organisations that hold it cannot do so without taking extensive additional precautions to safeguard it.

A hospital spokesperson said: “We recently experienced an IT security incident involving temporary, unauthorised access to our systems. We took immediate steps to mitigate the incident’s impact and continued to offer patient care and services, largely as normal.

“We also launched a comprehensive investigation, which confirmed that a small amount of data was copied from part of our IT system. While this was primarily benign hospital systems data, a limited amount of patient information was copied, and we are notifying a small subset of our patient database about this.

“The vast majority of patients are not affected by this in any way, and we offer our apologies for any concern this incident may cause,” they added.

Support from the UK’s National Cyber Security Centre and law enforcement has been drafted in.

Located in Marylebone in London, King Edward VII Hospital was founded by two sisters, Agnes and Fanny Keyser, at the turn of the 20th century, and was originally dedicated to providing care for sick and wounded servicemen returning from the Boer War in South Africa. It was later named for its first patron, King Edward VII.

It has maintained close links to the royal family over the past 120 years, providing care to the Queen Mother, Princess Margaret, Prince Philip, King Charles III, the Duchess of York, the Princess of Wales and the late Queen Elizabeth II.

Searchlight Cyber lead threat intelligence engineer Robert Fitzsimons said: “Rhysida is a ransomware-as-a-service [RaaS] group that has been active since at least mid-2023, currently having claimed the compromise of 60 victims according to their victim name-and-shame blog.

“Several open source reports indicate that Rhysida uses phishing, compromised VPN credentials and vulnerability exploitation as their initial access vector, showing versatility and a wide skill range in their affiliate group. Moreover, they don’t seem to target a specific industry or geographical location when it comes to choosing victims, encrypting any entity they can, however a small inclination towards companies in the education industry has been noticed.

“For encryption, they use the LibTomCrypt library and the ChaCha20 encryption algorithm. After gaining initial access to the victim’s network, Rhysida uses a number of legitimate tools, including Cobalt Strike, PsExec, ProcDump, AnyDesk, similar to other ransomware gangs,” he said.