nhls ransomware

Ransomware group BlackSuit today claimed responsibility for a ransomware attack on South Africa’s National Health Laboratory Service (NHLS), which forced the government institution to shut down its IT systems for two days last month. BlackSuit says it stole 1.2 TB of data during the attack, including business contracts, contacts, employee data, product data, financial data, and medical data.

NHLS CEO Koleka Mlisana stated the NHLS has not and will not communicate with BlackSuit, and refused to pay a ransom.

The claim on BlackSuit’s leak site says, “We would also like to point out that despite numerous attempts to contact the National Health Laboratory, they have done nothing but ignore us. However, they have repeatedly found time to provoke the media. Remember, it is the management of this company who do not care about their customers, partners, and subordinates—they will do anything for money. You have 72 hours to contact us; otherwise, the data will be published.”

Service disruptions at the NHLS resulting from the ransomware attack are ongoing as of time of writing. The NHLS said it is unable to issue test results to patients through its WebView portal. The NHLS website was unreachable by Comparitech staff at time of writing.

We don’t yet know how many people’s data is compromised, or how BlackSuit breached NHLS systems. Comparitech contacted the NHLS for comment and will update this article if it responds.

Who is BlackSuit?

BlackSuit–not to be confused with BlackCat or Black Basta–first emerged in April 2023, and has a history of attacking critical industries like healthcare, government, and education. It’s a private operation and doesn’t employ a ransomware-as-a-service business model. BlackSuit often extorts victims twice: once for the decryption key to restore attacked systems, and again in exchange for not selling or publishing stolen data.

Comparitech logged 31 confirmed attacks claimed by Black Suit so far this year. It has also claimed recent attacks against KADOKAWA Corporation and the Kansas City Police Department.

Ransomware attacks on healthcare

Hospitals, clinics, and other healthcare-related organizations are frequent targets for ransomware attacks. In addition to data theft, ransomware can disrupt key systems used for payments, making appointments, storing patient information, and more. Hospitals and clinics might be forced to cancel appointments and divert patients elsewhere, or resort to pen and paper until systems are restored.

Comparitech researchers recorded 63 confirmed attacks against healthcare organizations worldwide so far in 2024, compromising more than 5.5 million individual records.

BlackSuit is responsible for attacks on Group health Cooperative of South Central Wisconsin, Special Health Resources for Texas, the Montgomery County Board of Developmental Disabilities, and Akumin, Inc. Akumin filed bankruptcy shortly after BlackSuit attacked it.

We’ve tracked a further 116 unconfirmed attacks on healthcare organizations worldwide so far in 2024.

About the NHLS

The NHLS is a diagnostic pathology center for South Africa’s public sector. It operates 256 laboratories across South Africa and employs more than 8,000 people, according to external sources. It encompasses multiple divisions including the National Institute for Communicable Diseases, the National Institute for Occupational Health, a cancer registry, and vaccine manufacturing.