News

NHS Moorfields Hospital in Dubai confirms cyber attack, after ransomware data leak threats

The UAE-based Moorfields Eye Hospitals has confirmed a cybersecurity incident after a ransomware group is seen threatening to leak the stolen data.

The Moorfields Eye Hospitals in UAE is a branch of Moorfields London, part of Britain’s National Health Service (NHS).

As of yesterday, as observed by Security Report, the Moorfields Hospitals UAE website is showing the following message:

“Moorfields Dubai has recently been the subject of an IT security incident on one of its servers.”

“We are undertaking an urgent thorough investigation, led by a leading cybersecurity specialist agency, to ascertain what information could have been accessed.”

Patient appointments are expected to go on as normal.

“We continue to offer our full range of services and we advise all patients to attend their appointments as scheduled,” states the notice.

AvosLocker claims responsibility for the attack

Ransomware group AvosLocker claimed responsibility for the attack on Moorfields on their leak site, as of August 15th, 2021.

AvosLocker also states they have obtained 60 GB of proprietary data, including patient information, that they will leak if the ransom demand is not met.

AvosLocker posted sample materials including ID cards and patient data on their leak site (Security Report)

As seen by Security Report, some of the proofs posted by AvosLocker include:

  • Copy of ID cards, passports and travel documents
  • Insurance claim forms
  • Accounting documents, such as aged trial balances
  • Hospital call logs
  • Internal memos
A call log spreadsheet provided in the sample data dump (Security Report)

AvosLocker is known for infecting Windows machines to encrypt files and add a “.avos” extension to them.

Typically, the ransomware group uses spam emails or misleading advertisements as the primary delivery mechanisms for the malware. To encrypt data, AvosLocker employs a customized version of the Advanced Encryption Standard (AES) algorithm with block size 256, according to cybersecurity firm Cyble.

With recent cyberattacks on healthcare facilities, with some even leading to loss of life, ransomware groups now pose an ever-increasing risk to critical infrastructure.

Moorfields UAE is in the process of notifying the affected patients already. Those who are concerned they might be affected can also email incident@moorfields.ae.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.