>
NHS software vendor Advanced has confirmed it has been a victim of ransomware (opens in new tab) attack that resulted in the theft of sensitive customer data.
The company says an unknown threat actor used “legitimate third-party credentials,” which allowed them to establish a remote desktop (RDP) session to the Staffplan Citrix server.
From there, the attackers moved sideways through the network, escalating privileges as needed to map the entire network, identify critical endpoints and critical data.
Eliminate the attackers
Two days later, after exfiltrating sufficiently sensitive files, the group implemented LockBit 3.0, a well-known and powerful ransomware variant that encrypted all data on the network.
Advanced said the group was financially motivated, but did not specify how much money it demanded for the decryption key and data return, nor whether or not it paid.
As soon as Advanced realized it was under attack, it disconnected all of its systems from the Internet.
While that stopped further escalation of the attack, it also temporarily prevented customers and users from accessing the systems. As a result, the company continued to rebuild the network in a “separate, safe and new environment”.
In total, the company claims that 16 customers had their sensitive information stolen. It didn’t say exactly what this data contained, but it did say that victims were notified in a timely manner and that it managed to recover all stolen information.
Advanced described the recovery process further and said it could go relatively quickly, but still had to comply with government processes.
“While we were equipped and able to completely rebuild certain health and care products by the Monday following the incident, we had to comply with an assurance process outlined by our partners at the NCSC, NHS and NHS Digital. “
It said this process proved to be time-consuming and cumbersome.
“As we learned about this assurance process and adjusted in real time to meet certain requirements, it took longer than expected, impacting our overall recovery timeline. We have put safety and security first at every step of our recovery process,” it said.
“As we work through scanning and clearing systems, we will simultaneously continue to review and/or develop recovery plans for the remaining affected products,” it concluded.
- Here’s our roundup of the best malware (opens in new tab) around
Through: Digital Health (opens in new tab)