{ "id": "82d67e99-fe88-4912-861f-792795f8c396", "created_at": "2026-04-06T00:22:25.25827Z", "updated_at": "2026-04-10T03:30:34.110557Z", "deleted_at": null, "sha1_hash": "d4f0d19b2cb1e7ad05182b4a658400890041a075", "title": "INC Ransom threatens to leak 3TB of NHS Scotland stolen data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2355314, "plain_text": "INC Ransom threatens to leak 3TB of NHS Scotland stolen data\r\nBy Bill Toulas\r\nPublished: 2024-03-27 · Archived: 2026-04-05 21:45:25 UTC\r\nThe INC Ransom extortion gang is threatening to publish three terabytes of data allegedly stolen after breaching the\r\nNational Health Service (NHS) of Scotland.\r\nIn a post yesterday, the cybercriminals shared multiple images containing medical details and said that they would leak data\r\n\"soon,\" unless the NHS pays a ransom.\r\nScotland's NHS is the country’s public health system, providing services ranging from primary care, hospital care, dental\r\ncare, pharmaceutical, and long-term care.\r\nhttps://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nINC Ransom is a data extortion operation that emerged in July 2023 and targets organizations in both the public and the\r\nprivate sector. Among the victims are education, healthcare, and government organizations, and industrial entites\r\nlike Yamaha Motor.\r\nReports about a cybersecurity incident disrupting NHS Scotland services appeared on March 15, likely when the attack\r\noccurred.\r\nIn yesterday's post, the threat actor published several sample documents with sensitive information about doctors and\r\npatients, including medical assessments, analysis results, and psychological reports.\r\nINC Ransom extortion page (BleepingComputer)\r\nOnly one regional health board affected\r\nA spokesperson for the Scottish Government told BleepingComputer that the cyberattack impacts only NHS Dumfries and\r\nGalloway, one of the regional health boards that make up NHS Scotland.\r\n\"We are aware of some data published on the web that is linked to the recent cyber-attack on NHS Dumfries and\r\nGalloway. This incident remains contained to NHS Dumfries and Galloway and there have been no further incidents across\r\nNHS Scotland as a whole,\" - Scottish Government\r\nThe spokesperson added that the government is working with multiple entities, including the health board, Police Scotland\r\nand other agencies (e.g. National Crime Agency, National Cyber Security Centre) to determine the impact of the breach \"and\r\nthe possible implications for individuals concerned.\" \r\nMeanwhile, NHS Dumfries and Galloway has confirmed today that a ransomware group leaked clinical data relating to a\r\nsmall number of patients.\r\nThe organization states that this was the result of the cyberattack that occurred two weeks ago, which compromised its IT\r\nsystems and resulted in the unauthorized access of “a significant amount of data including patient and staff-identifiable\r\ninformation.”\r\n“We absolutely deplore the release of confidential patient data as part of this criminal act,” stated NHS Dumfries and\r\nGalloway Chief Executive Jeff Ace.\r\n“This information has been released by hackers to evidence that this is in their possession.”\r\nhttps://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/\r\nPage 3 of 4\n\nAce said that patient-facing services are operating normally, and the organization is working with the police and the National\r\nCyber Security Center (NCSC) to formulate a response to the situation.\r\nMoreover, he assured that all patients who had their info leaked online will be informed directly by the NHS so they may\r\ntake the appropriate measures to protect themselves.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/\r\nhttps://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/" ], "report_names": [ "inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data" ], "threat_actors": [ { "id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d", "created_at": "2024-11-01T02:00:52.730802Z", "updated_at": "2026-04-10T02:00:05.330644Z", "deleted_at": null, "main_name": "INC Ransom", "aliases": [ "INC Ransom", "GOLD IONIC" ], "source_name": "MITRE:INC Ransom", "tools": [ "PsExec", "Nltest", "Rclone", "AdFind", "esentutl", "INC Ransomware" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434945, "ts_updated_at": 1775791834, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d4f0d19b2cb1e7ad05182b4a658400890041a075.pdf", "text": "https://archive.orkl.eu/d4f0d19b2cb1e7ad05182b4a658400890041a075.txt", "img": "https://archive.orkl.eu/d4f0d19b2cb1e7ad05182b4a658400890041a075.jpg" } }