Software provider NHS Advanced has confirmed that it has suffered a ransomware (opens in a new tab) an attack that led to the theft of sensitive customer data.
The company claims that an unknown threat actor used “legitimate third-party credentials” that allowed them to establish a remote desktop (RDP) session to the Staffplan Citrix server.
From there, the attackers moved across the network, escalating privileges as needed to map the entire network, identify critical endpoints, as well as underlying data.
Cutting out intruders
Two days later, after exfiltrating enough sensitive files, the group deployed LockBit 3.0, a well-known and powerful ransomware variant that encrypted all data is online.
Advanced said the group was financially motivated, but did not specify how much money it demanded for the decryption key and data return, or whether it paid or not.
As soon as Advanced realized it had been attacked, it disconnected all of its systems from the Internet.
While this stopped the attack from escalating further, it also temporarily blocked customers and users from accessing the systems. As a result, the company moved to restore the network in a “separate, secure and new environment”.
In total, the company claims that 16 customers had their confidential information stolen. It didn’t say exactly what that data included, but it did say that victims were notified in a timely manner and that all stolen information was recovered.
Further describing the recovery process, Advanced said it can move relatively quickly but still has to satisfy government processes.
“While we were equipped and able to fully restore some health and care products by the Monday following the incident, we had to satisfy the provisioning process put in place by our partners at the NCSC, the NHS and NHS Digital.”
He said the process proved time-consuming and cumbersome.
“As we learned more about this provisioning process and adjusted it in real-time to meet certain requirements, it took longer than expected, which impacted our overall recovery schedule. We prioritize safety and security at every stage of our recovery process,” it said.
“While we are working on scanning and cleaning systems, we are concurrently continuing to evaluate and/or develop recovery plans for the remaining affected products,” it concluded.
- Here is our summary the best malware (opens in a new tab) around
Via: DigitalHealth (opens in a new tab)
https://www.techradar.com/news/nhs-data-stolen-from-contractor-in-serious-cyberattack/