IT supplier of UK NHS impacted by LockBit 3.0 ransomware attack

Advanced, a managed IT and software provider to the UK National Health Service, has confirmed a security incident involving LockBit 3.0 ransomware attack. Advanced has over 25,000 customers and 2,700 employees.

Advanced posted details on the security incident (first noted in August 4 2022 and last updated October 13, 2022):

“The threat actor initially accessed the Advanced network using legitimate third-party credentials to establish a remote desktop (RDP) session to the Staffplan Citrix server. During the initial logon session, the attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated a limited amount of data.”

Moreover, threat intelligence and forensic companies hired by Advanced confirmed that LockBit 3.0 malware strain was used in the cyberattack.

Researchers previously spotted LockBit 3.0, a new variant of the LockBit ransomware (also known as “LockBit Black”), earlier this year. Some believe the malware was created by a disgruntled developer.

“Upon first detecting suspicious activity, our security team promptly disconnected the entire Health and Care environment to contain the threat and limit encryption to a small number of systems. This action also prevented any further threat actor activity within the environment,” Advanced added.

As part of the actions taken, Advanced customers lost access to Health and Care platforms, as well as other financial services were impacted to a limited extent.

Advanced also provided details on remediation and recovery efforts, as well as an analysis on data impact.

“We can confirm that the perpetrators of the attack, who were financially motivated in nature, were able to temporarily obtain a limited amount of information from our environment pertaining to approximately 16 of our Staffplan and Caresys customers. We have now notified each of those affected customers as the controllers of the exfiltrated data,” Advanced noted.

Advanced noted that no data was taken from other products.