NHS Test and Trace provider hit by cyber attack

Serco ransomware attack highlights increasing vulnerability of health sector amid COVID-19 pandemic

Image by Pete Linforth from Pixabay

One of the companies heading up the NHS Test and Trace system has been hit by a cyber attack as healthcare organisation continue to fall victim to online criminals.

Sky News has reported that public services company, Serco, was targeted by Babuk ransomware, a new form of attack that encrypts networks and steals data, with victims ordered to pay a ransom to unencrypt their networks and prevent the stolen information from being released.

Serco is one of two main contractors providing call handlers to support the NHS in tracking and tracing those suffering from, or at risk of contracting, Coronavirus.

It is also one of the five companies managing COVID-19 testing centres across the country.

Today, it’s unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware

However, speaking after the news broke, a Serco spokesman said it had not affected UK organisations and was instead ‘isolated to our continental European business’.

This, the spokesman added, accounts for less than 3% of Serco’s overall business.

But the attack further highlights the vulnerability of healthcare organisations, which have become key targets since the onset of the pandemic early last year.

An unknown threat

Brett Callow, a cyber security researcher at Emsisoft, who specialises in tracking ransomware groups, said the ransomware had only emerged in early January and that little is known about their operations.

And Miles Tappin, vice president at ThreatConnect, warned: “The recent attack on Serco by criminals operating the so-called Babuk ransomware exposes the inherent weaknesses of the system.

“Personal information was left vulnerable to outsiders using the information for their own private and financial gain.

“Despite no documents being affected this time around, it is clear that only time will tell whether an attack like this will happen again.”

Research by VMWare Carbon Black across its healthcare customers showed there were 239.4 million cyber attacks on healthcare organisations in 2020.

Despite no documents being affected this time around, it is clear that only time will tell whether an attack like this will happen again

The figures also showed an average of 816 attempted attacks per endpoint in 2020, a staggering 9,851% increase from 2019.

And the surge began as early as February, just as the pandemic started to spread worldwide.

“From January to February, the number of attempted attacks shot up by 51% as cyber criminals set their sights on vulnerable healthcare organisations that were navigating tremendous changes in the way they operate and treat patients,” said the company’s senior principal cyber security strategist, Greg Foss.

And he warned that many ransomware groups are now offering ransomware-as-a-service (RaaS), making the deployment of ransomware easily accessible to millions of cyber criminals who previously did not have the tools to carry out such attacks.

“COVID-19 test results are a hot commodity on the dark web right now, mostly in the form of large data dumps,” he adds.

Big business

“An interesting component around today’s ransomware attacks is that underqualified, lesser-known cyber criminal groups are behind them thanks to the rise in RaaS.

“All it takes is a quick search on the dark web for someone to license out a ransomware payload to infect targets.

“Today, it’s unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware.”

The top ransomware families used to target VMware Carbon Black healthcare customers in 2020 were identified as Cerber, Sodinokibi, VBCrypt, Cryxos, and VBKrypt.

For CISOs and security leaders, it's time to ensure the proper security controls are in place as new technology is implemented to support remote work, patient care, and more

Rick McElroy, principal cyber security strategist at VMware Carbon Black, explains. “It’s critical to note that the most-commonly-used ransomware family, Cerber, is classified as a RaaS.

”For a percentage of the profits cyber criminals can sign-up as a Cerber affiliate and deliver all the Cerber ransomware they desire.

“This is alarming as it accounts for nearly 60% of the ransomware attacks on healthcare organisations, demonstrating the rapid rate at which this strain can be licensed and utilised to infect victims.”

So how can healthcare organisations, and private firms such as Serco, fight back?

VMware Carbon Black has three recommendations moving forwards.

For healthcare organisations, understanding the evolving threat landscape is half the battle,” said McElroy.

“Now that CISOs have a grasp of what they’re up against, there are key defences that should be in place.”

These are:

  • Next-generation Antivirus (AV): CISOs can start by ensuring their endpoint protection solution incorporates defences for each phase of ransomware attacks: the delivery, propagation, and encryption stages. Today, traditional AV focuses mostly on the delivery stage, but this leaves a security gap with new malware. To detect and stop these attacks from propagating, solutions should also track endpoint activity to root out common behaviours such as privilege escalation and lateral movement, and finally prevent encryption by employing decoys and protecting local files and critical boot sequences
  • Endpoint Protection: CISOs need an endpoint protection solution that easily scales and deploys to new users. The inability to rapidly provision new remote endpoints is another vulnerability and break in security postures. Healthcare organisations need the ability to easily provision access to new users while maintaining data privacy, compliance, and security practices. Siloed and on-premise security products increase complexity and delay progress in standing up and securing remote workers. VMware Carbon Black Cloud Endpoint, for example, helps organisations transform security with cloud-native endpoint protection that eliminates many of the time and resource-consuming barriers that often slow down deployments. The solution also offers security teams the full visibility and control required to help prevent, detect, and respond to endpoint threats
  • IT Tracking Tools: For CISOs to understand any area of vulnerability it’s important to employ a solution that enables them to assess and harden system state. When it comes to helping prevent ransomware attacks, solutions that offer automated reporting to track configuration drift will help ensure environments stay as secure as possible

McElroy said: “The pandemic has brought about not only operational and patient challenges, but also new cyber security threats and vulnerabilities for healthcare organisations.

“For CISOs and security leaders, it's time to ensure the proper security controls are in place as new technology is implemented to support remote work, patient care, and more.

“As we move forward, it’s critical to pay close attention not only to how these criminals achieve their goals, but also how we respond to these threats.

Automation is key

“Our 2020 findings should serve as a starting point for a discussion between the cyber security community and the defenders of the healthcare sector on how to best collaborate and ensure patient care is not disrupted by cyber attacks.”

Adam Enterkin, senior vice president EMEA at BlackBerry, concludes: “The news of the attack on Serco continues a trend we have seen developing over the last year.

“From over-stretched hospital wards, to vaccine development labs; the healthcare industry has seen an increase in attacks during COVID.

“The urgency of this crisis has made distributing malware easier than ever for cyber criminals looking to exploit the critical nature of medical data.

Automation is key going forward. Technology must take on the heavy lifting, to allow healthcare professionals to prioritise both immediate care and ever-present cyber threats

“Sadly, ransomware and information stealers are the most-common type of malware used against the healthcare sector and our latest research uncovered that, globally, healthcare organisations are more likely to pay ransoms than other industry due to the critical nature of the targeted data.

“While many hospitals have the technology to defend against these threats, they lack large and highly-skilled teams.

“Automation is key going forward. Technology must take on the heavy lifting, to allow healthcare professionals to prioritise both immediate care and ever-present cyber threats.”

Companies