LockBit 3.0 malware forced NHS tech supplier to shut down hosted sites

Advanced, a managed software provider to the UK National Health Service, has confirmed that customer data was indeed lifted as part of the attack by cyber baddies that has disrupted operations for months.

The attack was first noted August 4 when Advanced promptly pulled a portion of its infrastructure offline to contain the spread of infection to other systems. As such, a range of sites hosted for clients were unavailable.

The incident disrupted healthcare customers, forcing NHS 111 medical services operators, for example, to revert back to pen and paper as digital services went AWOL, sources told us at the time.

In an incident update yesterday, Advanced confirmed that the “perpetrators of the attack, who were financially motivated in nature, were able to temporarily obtain a limited amount of information from our environment pertaining to 16 of our Staffplan and Caresys customers.”

Advanced has now informed those customers, as is its legal duty, of the “exfiltrated data.” The company’s incident update says no data was taken from the other products it hosts, and it has “recovered the limited amount of data” that the crooks swiped from the infected systems.

“[W]e believe the likelihood of harm to individuals is low,” it adds. “This is based on our expert threat intelligence vendor's considerable experience with cases of this nature and the fact that there is no evidence to suggest that the data in question exists elsewhere outside our control. We are, however, monitoring the dark web as a belt and braces measure and will let you know immediately in the unlikely event that this position change

As for the entry point? Access was gained via Advanced’s network using legitimate third-party credentials to set up a Remote Desktop session to the Staffplan Citrix server.

• Healthcare organizations face rising ransomware attacks – and are paying up
• When are we gonna stop calling it ransomware? It's just data kidnapping now
• 'Precursor malware' infection may be sign you're about to get ransomware, says startup
• Major IT outage forces UK emergency call handlers to use 'pen and paper'

“During the initial logon session, the attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated a limited amount of data,” the update says.

Microsoft and Mandiant, hired by Advanced, have confirmed the malware strain deployed in the attack was LockBit 3.0, the latest version of the ransomware released in June.

“The forensics are very nearly complete and at this stage, it is highly unlikely there will be additional findings,” Advanced states in the incident update.

It says upon spotting the suspicious activity on the network it “disconnected the entire Health and Care environment” to contain the infection from spreading; that “by taking this action, our customers lost access” to these platforms; adding that a “limited number of non-health and care environments and services, such as eFinancials”.

Advanced is understood to have 36 NHS clients that provide service thousands of healthcare professionals. Impacted services included the hosting of Adastra, Carey’s, Carenotes, Crosscare, Odyssey and Staffplan. Adastra is said to work with 85 percent of NHS 111 services.

Undertaking an assurance process to rebuild affected health and care services, overseen by Britain’s National Cyber Security Centre, the NHS and NHS Digital, “took longer than expected” and “impacted our overall recovery time”, the incident report says.

Advanced previously told us on August 12 it expected to recover in a matter of weeks. Recovering from ransomware take on average between 7 to 21 days, and unsurprisingly downtime is the most costly element. And getting over the attack itself can cost 10 times the ransom demand.

The incident report adds: “We are working diligently and bringing all resources to bear, including outside recovery specialists, to help us restore services to our customers as quickly as possible, and in the interim, providing data extracts and assisting with contingency planning as appropriate."

According to Advanced yesterday, some 90 percent of Adastra hosted sites are back online and all hosted sites for Odyssey are up. The rebuild and prelim testing of the Carenotes base estate is complete, and Crosscare customers can request data extracts. Recovery work on Caresys, as of 29 September, “continues to progress”, and hosted Staffplan customers could request data extractions.

The Reg has asked Advanced if any crew has stepped forward to take responsibility for the attack, if a ransom was paid, and queried the nature of the data that was exfiltrated. ®