NHS software provider Advanced has confirmed that it has been the victim of ransomware (opens in a new tab) an attack that resulted in the theft of sensitive customer data.
The company claims that an unknown cybercriminal used “legitimate third-party credentials” that gave them the ability to establish a remote desktop (RDP) session with the Staffplan Citrix server.
From there, the attackers moved across the entire network, increasing privileges where necessary to map the entire network, identify key endpoints as well as key data.
Cutting out the attackers
Two days later, after extracting enough sensitive files, the group deployed LockBit 3.0, a known and powerful strain of ransomware that encrypted all data on the network.
Advanced said the group was financially motivated, but did not specify how much money it asked for the decryption key and data return, or whether it paid.
As soon as Advanced realized that he was under attack, he disconnected all his systems from the Internet.
While this stopped the further escalation of the attack, it also temporarily prevented customers and users from accessing the systems. As a result, the company proceeded to re-establish the network in a “separate, secure and new environment”.
In total, the company claims that confidential information from 16 customers was stolen. He did not say exactly what the data contained, but said victims were notified in a timely manner and that he was able to restore all of the stolen information.
Further describing the recovery process, Advanced said it was able to move relatively quickly, but was still needed to meet government processes.
“While we were equipped and were able to completely rebuild some health and care products by the Monday following the incident, we were required to follow the assurance process set out by our partners at NCSC, NHS and NHS Digital.”
He said the process proved time-consuming and cumbersome.
“As we learned more about this assurance process and adjusted it in real time to meet specific requirements, it took longer than expected, affecting our overall recovery schedule. We have prioritized safety and security at every stage of our recovery process.”
“While working with the scanning and accounting systems, we continue to assess and/or develop recovery plans for the remaining affected products in parallel,” it concluded.
- Here is our roundup of the best malware (opens in a new tab) around
By: Digital Health (opens in a new tab)