Outsourcing giant Serco hit by ransomware attack
Cyber criminals deployed the Babuk ransomware to encrypt more than 1TB of data belonging to the firm behind NHS Test and Trace


The outsourcing firm behind NHS Test and Trace has confirmed that it was targeted by cyber criminals operating the newly-discovered Babuk ransomware.
Hampshire-based Serco manages over 500 contracts worldwide, operating in sectors such as health, transport, justice, immigration, defence, and citizens services.
Sky News, which first reported on the cyber attack, managed to obtain a confirmation from the company that Test and Trace was not affected in the incident.
If it had, it would add to a growing number of incidents that have affected the system since its launch in May of last year. Between late October and early November 2020, it suffered two software glitches in one week, with more than 7,000 people given the wrong dates for self-isolation. Prior to that, an Excel technical issue led to a delay in reporting 15,841 positive COVID-19 cases.
Speaking to Sky News, Serco spokesperson Marcus Deville said there had been "no impact on UK business" and that the attack had only impacted the company's mainland European operations, which were "completely isolated" from those in the UK.
The publication also found that the cyber criminals had used the Babuk ransomware in the attack, which had only gained notoriety in the last few weeks, with little information available.
RELATED RESOURCE
Ransomware resiliency: The risks associated with an attack and the reward of recovery planning
An overview of the history of ransomware, its potential impact, and best practices to protect IT systems
According to an advisory published last month by NHS Digital, as the Babuk Loader is deployed, it attempts to “terminate various security and recovery services as well as database, browser and email programs”.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“It then encrypts all non-system files on local and network drives using a ChaCha8 implementation, the keys for which are then encrypted using a custom elliptic-curve Diffie-Hellman implementation thought to be based on several components published by the US' National Institute of Standards and Technology.”
Kaspersky principal security researcher David Emm told IT Pro that Babuk is a "fairly new ransomware".
"Whilst reports have suggested that the coding of the malware isn’t very sophisticated, the way the encryption is implemented means that victims can’t decrypt files for themselves," he added.
"It’s also unclear what the attack vector is in this case, although such attacks typically employ social engineering – i.e. tricking staff into doing something that compromises security, such as clicking on an attachment or link in a message.
"This is why developing an in-house security awareness programme is so vital, to ensure that staff understand the tricks cybercriminals use and know what they can do to avoid falling victim to them," said Emm.
According to the ransom note addressed to Serco, the cyber criminals had been "surfing inside [Serco’s] network for about three weeks and copied more than 1TB of your data”. According to Sky News, the hackers also threatened the company with "consequences" if it wouldn’t cooperate "to resolve this situation", warning of risks including falling stock value.
"Your partners such as NATO, or Belgian Army or anyone else won't be happy that their secret documents are in free access in the internet,” it added.
However, it’s currently unknown what exact documents were stolen by the criminals.
IT Pro has contacted Serco for comment and will update this story when more information is available.
Having only graduated from City University in 2019, Sabina has already demonstrated her abilities as a keen writer and effective journalist. Currently a content writer for Drapers, Sabina spent a number of years writing for ITPro, specialising in networking and telecommunications, as well as charting the efforts of technology companies to improve their inclusion and diversity strategies, a topic close to her heart.
Sabina has also held a number of editorial roles at Harper's Bazaar, Cube Collective, and HighClouds.
-
Palo Alto Networks snaps up CyberArk in identity security push
News The acquisition marks the latest in a string for Palo Alto Networks
-
Stack Overflow CEO Prashanth Chandrasekar on embracing AI
Q&A The chief executive at the well-known developer resource Stack Overflow talks future strategy and how AI has forced the company to shift its focus
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
News The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making