View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 14, 2022

LockBit 3.0 used in ransomware attack on Advanced that knocked out NHS 111 services

Some details of August's attack have emerged, but it is not known if patient data was stolen.

By Claudia Glover

A ransomware attack which crippled NHS 111 services this summer was carried out using the LockBit 3.0 malware, it has been confirmed. NHS vendor Advanced, the company that suffered the attack, says it lost data belonging to “approximately 16” institutions using its care management software platforms, StaffPlan and Caresys, during the attack, but has not confirmed whether personal data was stolen.

Attack knocking out NHS 111 in August confirmed as LockBit 3.0. (Photo by Olga Ganovicheva/Shutterstock

Advanced suffered the cyberattack on 4 August, meaning services it provided to NHS 111, as well as out-of-hours GP surgeries, were unavailable while the incident was dealt with. Hospital staff resorted to using pen and paper in the absence of their normal digital systems, it was reported.

An update released by Advanced this week said the data of up to 16 companies was stolen by the attacker. “We can confirm that the perpetrators of the attack, who were financially motivated in nature, were able to temporarily obtain information pertaining to approximately 16 of our Staffplan and Caresys customers,” the company said. 

Caresys is a care home management software that provides the ability for users to easily access individual care plans for their patients, while Staffplan is used to arrange care worker schedules. 

Whether data leaked from either of these platforms includes personal information of any patients or staff has yet to be confirmed by Advanced. 

The update explains how the perpetrator accessed the system: “The threat actor initially accessed the Advanced network using legitimate third-party credentials,” it explains.

“During the initial login session the attacker moved laterally in Advanced’s health and care environment and escalated privileges, enabling them to conduct reconnaissance and deploy encryption malware,” it states.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Before encrypting the system, Advanced says the attacker stole a “limited” amount of data, but declined to offer further details on this.

LockBit 3.0’s continuing cybercrime spree

The encryption malware used in the attack is LockBit 3.0, also known as LockBit Black.

Advanced appears to have been part of a LockBit crime spree in August. The malware was used in 64 attacks within the month, according to research released by the NCC group’s analytics team. LockBit 3.0 was responsible for 40% of all ransomware incidents in August, making it the most prolific ransomware that month.

More than 100 gigabytes of data was stolen from the Italian Tax Office on August 1. The gang gave the government body until the end of the month to pay up or pilfered information would be released on the dark web. Four days later, LockBit claimed an attack on cybersecurity company Mandiant, stealing 350,000 files and threatening to leak them online. Mandiant says it has found “no evidence” of a breach, and believes LockBit may be striking back after Mandiant released an investigation into its relationship with Russian cyber gang Evil Corp.

The gang itself was hacked in August as well. A DDoS attack was launched on LockBit’s dark web server, which hosts leaks from companies the gang has ransomed. At the time of the attack, the gang was receiving “400 requests a second from over 1,000 servers”.

“Lockbit 3.0 is a ransomware tool, so if an attacker is using Lockbit 3.0, then they will almost definitely be deploying ransomware,” says Javvad Malik, lead security awareness advocate at Knowbe4. “However, the one caveat is whether ransomware and extorting money is the actual objective of the attackers, or whether they are using it as a distraction to cover their real intentions.”

Read more: Ransomware gangs are getting smaller and smarter

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.