Cyber Incident Victim: Scottish Association for Mental Health

On March 17, 2022, the Scottish Association for Mental Health (SAMH) experienced a ransomware attack claimed by the RansomExx group, disrupting email systems and phone lines at national and local offices. The organization first publicly acknowledged the incident on March 18 through an initial statement confirming cybersecurity issues affecting communications infrastructure. By March 21, SAMH Chief Executive Billy Watson issued a detailed announcement describing the event as a "sophisticated and criminal cybersecurity attack" that devastated the charity. RansomExx listed SAMH on its leak site and claimed to have stolen approximately 12GB of data during the breach, though specific data types were not disclosed. The attack temporarily impaired organizational communications while local in-person and phone services remained operational across SAMH's 60 Scottish community locations.

SAMH immediately engaged Police Scotland and cybersecurity experts to investigate the active incident, with Watson emphasizing continuity of mental health services for vulnerable populations as the top priority. Staff implemented contingency measures to minimize service disruptions despite compromised digital systems. The ransomware group's involvement was confirmed by Emsisoft threat analyst Brett Callow, who noted RansomExx's history of targeting high-profile entities like Taiwan's GIGABYTE and Brazil's Lojas Renner while avoiding systems using Russian or CIS languages. Recovery efforts restored email functionality and affected phone lines by March 21, though the organization maintained contact through alternative channels throughout the disruption. No ransom payment details or data release confirmation were provided, with SAMH continuing to cooperate with law enforcement and advisors to manage consequences of the attack.