A ransomware attack which crippled NHS 111 services this summer was carried out using the LockBit 3.0 malware, it has been confirmed. NHS vendor Advanced, the company that suffered the attack, says it lost data belonging to “approximately 16” institutions using its care management software platforms, StaffPlan and Caresys, during the attack, but has not confirmed whether personal data was stolen.
An update released by Advanced this week said the data of up to 16 companies was stolen by the attacker. “We can confirm that the perpetrators of the attack, who were financially motivated in nature, were able to temporarily obtain information pertaining to approximately 16 of our Staffplan and Caresys customers,” the company said.
Caresys is a care home management software that provides the ability for users to easily access individual care plans for their patients, while Staffplan is used to arrange care worker schedules.
Whether data leaked from either of these platforms includes personal information of any patients or staff has yet to be confirmed by Advanced.
The update explains how the perpetrator accessed the system: “The threat actor initially accessed the Advanced network using legitimate third-party credentials,” it explains.
“During the initial login session the attacker moved laterally in Advanced’s health and care environment and escalated privileges, enabling them to conduct reconnaissance and deploy encryption malware,” it states.
Before encrypting the system, Advanced says the attacker stole a “limited” amount of data, but declined to offer further details on this.
LockBit 3.0’s continuing cybercrime spree
The encryption malware used in the attack is LockBit 3.0, also known as LockBit Black.
Advanced appears to have been part of a LockBit crime spree in August. The malware was used in 64 attacks within the month, according to research released by the NCC group’s analytics team. LockBit 3.0 was responsible for 40% of all ransomware incidents in August, making it the most prolific ransomware that month.
More than 100 gigabytes of data was stolen from the Italian Tax Office on August 1. The gang gave the government body until the end of the month to pay up or pilfered information would be released on the dark web. Four days later, LockBit claimed an attack on cybersecurity company Mandiant, stealing 350,000 files and threatening to leak them online. Mandiant says it has found “no evidence” of a breach, and believes LockBit may be striking back after Mandiant released an investigation into its relationship with Russian cyber gang Evil Corp.
The gang itself was hacked in August as well. A DDoS attack was launched on LockBit’s dark web server, which hosts leaks from companies the gang has ransomed. At the time of the attack, the gang was receiving “400 requests a second from over 1,000 servers”.
“Lockbit 3.0 is a ransomware tool, so if an attacker is using Lockbit 3.0, then they will almost definitely be deploying ransomware,” says Javvad Malik, lead security awareness advocate at Knowbe4. “However, the one caveat is whether ransomware and extorting money is the actual objective of the attackers, or whether they are using it as a distraction to cover their real intentions.”