The outsourcing firm behind NHS Test and Trace has confirmed that it was targeted by cyber criminals operating the newly-discovered Babuk ransomware.
Hampshire-based Serco manages over 500 contracts worldwide, operating in sectors such as health, transport, justice, immigration, defence, and citizens services.
Sky News, which first reported on the cyber attack, managed to obtain a confirmation from the company that Test and Trace was not affected in the incident.
If it had, it would add to a growing number of incidents that have affected the system since its launch in May of last year. Between late October and early November 2020, it suffered two software glitches in one week, with more than 7,000 people given the wrong dates for self-isolation. Prior to that, an Excel technical issue led to a delay in reporting 15,841 positive COVID-19 cases.
Speaking to Sky News, Serco spokesperson Marcus Deville said there had been "no impact on UK business" and that the attack had only impacted the company's mainland European operations, which were "completely isolated" from those in the UK.
The publication also found that the cyber criminals had used the Babuk ransomware in the attack, which had only gained notoriety in the last few weeks, with little information available.
RELATED RESOURCE
Ransomware resiliency: The risks associated with an attack and the reward of recovery planning
An overview of the history of ransomware, its potential impact, and best practices to protect IT systems
According to an advisory published last month by NHS Digital, as the Babuk Loader is deployed, it attempts to “terminate various security and recovery services as well as database, browser and email programs”.
“It then encrypts all non-system files on local and network drives using a ChaCha8 implementation, the keys for which are then encrypted using a custom elliptic-curve Diffie-Hellman implementation thought to be based on several components published by the US' National Institute of Standards and Technology.”
Kaspersky principal security researcher David Emm told IT Pro that Babuk is a "fairly new ransomware".
"Whilst reports have suggested that the coding of the malware isn’t very sophisticated, the way the encryption is implemented means that victims can’t decrypt files for themselves," he added.
"It’s also unclear what the attack vector is in this case, although such attacks typically employ social engineering – i.e. tricking staff into doing something that compromises security, such as clicking on an attachment or link in a message.
"This is why developing an in-house security awareness programme is so vital, to ensure that staff understand the tricks cybercriminals use and know what they can do to avoid falling victim to them," said Emm.
According to the ransom note addressed to Serco, the cyber criminals had been "surfing inside [Serco’s] network for about three weeks and copied more than 1TB of your data”. According to Sky News, the hackers also threatened the company with "consequences" if it wouldn’t cooperate "to resolve this situation", warning of risks including falling stock value.
"Your partners such as NATO, or Belgian Army or anyone else won't be happy that their secret documents are in free access in the internet,” it added.
However, it’s currently unknown what exact documents were stolen by the criminals.
IT Pro has contacted Serco for comment and will update this story when more information is available.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
