Security

Emergency services call-handling provider: Ransomware forced it to pull servers offline

Advanced's infrastructure still down and out, recovery to take weeks or more


Advanced, the MSP forced to shut down some of its servers last week after identifying an "issue" with its infrastructure hosting products, has confirmed a ransomware attack and says recovery will be in the order of weeks.

The incident was spotted on 4 August and efforts to contain it resulted in server and network connections being taken offline, causing the loss of service on products used by Health & Care customers. Affected hosted products include Adastra, Caresys, Odyssey, Carenotes, Crosscare and Staffplan.

Some 36 customers from the UK's National Health Service (NHS) use services provided by Advanced, including NHS 111, which provides round-the-clock support such as health information. Adastra, for example, is said to work with 85 percent of NHS 111 Services, and call operators were forced to use pen and paper to keep things running.

The turn of events bore all the signs of a serious security strike and in its latest update on 10 August, Advanced confirmed it fell victim to "ransomware."

Third party forensic specialists at Mandiant and Microsoft DART teams are working with Advanced's techies to "ensure our systems are back online securely with enhanced protections."

Advanced said communication is also being maintained with the NHS, the National Cyber Security Centre (NCSC) and UK data watchdog the ICO.

"We want to stress that there is nothing to suggest that our customers are at risk of malware spread and believe that early intervention from our Incident Response Team contained this issue to a small number of servers," the update says.

No further issues have since been detected, the company added.

As for the way forward? Sources told us on 5 August they were informed that services may resume on 9 August but that was seemingly overly optimistic.

Advanced's update says: "We are rebuilding and restoring impacted systems in a separate and secure environment. To help all customers feel confident in reconnecting to our products once service is restored, we have implemented a defined process by which all environments will be systematically checked prior to securely bringing them online.

This process includes:

Following this, Advanced will bring impacted infrastructure back online and reconnect services "as part of a phased return."

"With respect to the NHS, we are working with them and the NCSC to validate the additional steps we have taken, at which point the NHS will begin to bring its services back online.

"For NHS 111 and other urgent care customers using Adastra and NHS Trusts using eFinancials, we anticipate this phased process to begin within the next few days. For other NHS customers and Care organisations our current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks. We are working tirelessly to bring this timeline forward, and while we are hopeful to do so, we want our customers to be prepared. We will continue to provide updates as we make progress."

Advanced said it is the "early stages of our investigation into this incident" and has "not yet confirmed the root cause," which it admitted "may take time."

"With respect to potentially impacted data, our investigation is underway, and when we have more information about potential data access or exfiltration, we will update customers as appropriate.  Additionally, we will comply with applicable notification obligations," it adds.

It thanked customers for their "continued patience", adding: "We fully understand the challenges this incident has caused for many of our stakeholders."

A security source close to the matter told us there are suggestions the criminals behind the ransomware could have been in Advanced's network for months, and that hundreds of millions of NHS records may have been captured.

We asked Advanced about this, and whether they are negotiating with the extortionists.

In response, the company sent us a statement from Simon Short, chief operating officer:

"We are continuing to make progress in our response to this incident. We are doing this by following a rigorous phased approach, in consultation with our customers and relevant authorities. We thank all our stakeholders for their patience and understanding as our team works around the clock to resume service as safely and securely as possible." ®

Send us news
21 Comments

INC Ransom claims responsibility for attack on NHS Scotland

Sensitive documents dumped on leak site amid claims of 3 TB of data stolen in total

Street newspaper appears to have Big Issue with Qilin ransomware gang

The days of cybercriminals having something of a moral compass are over

Yacht dealer to the stars attacked by Rhysida ransomware gang

MarineMax may be in choppy waters after 'stolen data' given million-dollar price tag

UK council won't say whether two-week 'cyber incident' impacted resident data

Security experts insist ransomware is involved but Leicester zips its lips

Time to examine the anatomy of the British Library ransomware nightmare

Mistakes years in the making tell a universal story that must not be ignored

LockBit ransomware kingpin gets 4 years behind bars

Canadian-Russian said to have turned to a life of cybercrime during pandemic, now must pay the price – literally

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Stanford University failed to detect ransomware intruders for 4 months

27,000 individuals had data stolen, which for some included names and social security numbers

JetBrains is still mad at Rapid7 for the ransomware attacks on its customers

War of words wages on between vendors divided

British Library pushes the cloud button, says legacy IT estate cause of hefty rebuild

Five months in and the mammoth post-ransomware recovery has barely begun

JetBrains TeamCity under attack by ransomware thugs after disclosure mess

More than 1,000 servers remain unpatched and vulnerable

Belgian ale legend Duvel's brewery borked as ransomware halts production

Biz reassures quaffers it has enough beer, expects quick recovery before weekend