Back to Insights

Cyberattack on Serco: NHS Test & Trace Contractor

Managed services 02/05/2021 - 08:20 by Swami Nathan

According to reports, a multi-national outsourcing firm that operates part of the UK's COVID-19 Test and Trace framework has been struck by ransomware.

Serco, headquartered in Hampshire, oversees over 500 contracts worldwide, working in sectors such as health, transportation, justice, immigration, security, and services for residents.

Serco, a British services corporation employing 50,000 people and overseeing hundreds of contracts around the world, reported to Sky News that it had suffered an attack. The company did not, however, comment on the effect or whether it had paid the ransom demand.

According to the report, the Babuk gang alleged the attack on Thursday 25 October, but Serco did not publicly acknowledge the incident until Sunday, January 31, when a spokesperson confirmed the attack.

A spokesperson for Serco said:

A Cyberattack has been carried out on Serco's mainland European sector. Our continental European business, which accounts for less than 3 percent of our overall business, was isolated from the attack. It has not influenced our UK company or the services we provide for our UK clients.

The publication also found that in the attack, the cybercriminals used the Babuk ransomware, which only gained popularity in the final few months, with little information available.

According to an NHS Digital advisory released last month, as the Babuk Loader is deployed, it seeks to "terminate various expert security, and restoration services as well as database, browser, and email programs".

"It then encrypts all non-technical documents working with a ChaCha8 implementation on regional and network drives, the keys for which are then encrypted using a customized elliptical curve Diffie-Hellman implementation that is believed to depend on a number of components released by the US National Institute of Benchmarks and Technology".

The cybercriminals have been "surfing within [Serco's] network for about three weeks and copying much more than 1 TB of your data", according to the ransom addressed to Serco.

Cybersecurity Insiders has discovered that the malware attack targeting Babuk Ransomware submitted to the VirusTotal software tool has had a profound effect on Serco's European operations. The threat actors who threatened the company to leak the information online if the company declined to pay a ransom of $85,000 in Bitcoins allegedly stole around 1 TB of data related to NATO and the Belgian army.

While there are some unconfirmed reports that it can manipulate exposed remote desktop protocol services to gain initial access, it is currently unclear what vector Babuk brings.

The group's members seem to be under the delusion, like many other ransomware operators, that they are not offenders, identifying themselves as "some kind of cyberpunks [sic]" who perform random Penetration testing exercises.

With the exception of private plastic surgery clinics and dental practices, the gang says it does not threaten victims with annual sales of under $4 million, or hospitals. They also claim to steer clear of all non-profit charities, except for LGBTQ+ groups, or those affiliated with Black Lives Matter, in what could be a hint as to the position of the cybercriminals.

Advice on Recovery

If ransomware infects a computer on your network, then it starts to encrypt files, which may also include remote files at network locations. Restoring all infected files from their most recent backup is the only guaranteed way to recover from a ransomware infection. Teceze advises that the effect of a ransomware infection should be limited:

  1. In several backup environments, sensitive data is often saved.
  2. At least one backup at any time is kept offline (separated from live systems).
  3. To ensure that data can be recovered when necessary, backups and incident recovery plans are checked.
  4. Permissions from the user account to change data are periodically checked and limited to the minimum possible.
  5. Infected devices are removed as soon as possible from the network and shut down.
  6. On a clean computer, any user account credentials that might have been compromised should be reset.
  7. Where it is not possible to quarantine infected systems with confidence, the affected entity should disconnect from national networks to restrict dissemination.

Prevent Your Organization from Cyberattack Today

When it comes to defending your organization from cybercrime and cyberattacks, it can be hard to know where to begin. There is so much information out there that, particularly when the information is contradictory, it can become overwhelming.

For your company and your workers, you need a solution that's perfect. Contact us today for a no-obligation.

Assessment of cybersecurity. We can help kickstart a journey to be healthy.

To find out how we can help you protect your network and avoid cyberattacks, talk to Teceze cybersecurity specialist today.

According to reports, a multi-national outsourcing firm that operates part of the UK's COVID-19 Test and Trace framework has been struck by ransomware.