Serco confirms Babuk ransomware attack, Test and Trace not impacted

The attack hit only mainland European operations, Serco claims

Multinational outsourcing firm Serco which is supporting the NHS Test and Trace programme, has fallen victim to a ransomware attack.

Speaking to Sky News, Serco spokesperson Marcus Deville confirmed the cyber attack, announcing that the incident affected the company's operations in mainland Europe. He added that there was no impact on Serco's UK business, including the Test and Trace system.

Deville also revealed Serco believes the crime group operating the Babuk ransomware was behind the attack.

Hampshire-based Serco employs about 50,000 staff and manages over 500 contracts worldwide. The company operates in many sectors, including health, immigration, defence, transport, justice, and citizens' services.

It is not yet clear whether Serco had paid a ransom to Babuk's operators. Moreover, there is little information available about that specific strain of ransomware.

NHS Digital warned organisations about Babuk in an advisory last month. The organisation said that after infecting a system, the Babuk Loader tries to stop security and recovery services from running, as well as the browser, email programmes and database. 'It then encrypts all non-system files on local and network drives using a ChaCha8 implementation,' the warning continued.

The group behind the cyber attack wrote in their ransom note that they had been lurking inside Serco's network for about three weeks, and had already exfiltrated more than one terabyte of data from the compromised systems.

The criminals also threatened Serco with 'consequences' if the firm does not cooperate.

"Your partners such as NATO, or Belgian Army or anyone else won't be happy that their secret documents are in [sic] free access in the internet," they wrote.

Commenting on the attack, Adam Enterkin, SVP, EMEA, BlackBerry, stated: "The news of the attack on Serco today continues a trend we have seen developing over the last year.

"From over-stretched hospital wards to vaccine development labs, the healthcare industry has seen an increase in attacks during COVID. The urgency of this crisis has made distributing malware easier than ever for cybercriminals looking to exploit the critical nature of medical data.

"Sadly, ransomware and information stealers are the most common type of malware used against the healthcare sector. BlackBerry's latest research uncovered that globally, healthcare organisations are more likely to pay ransoms than other industry due to the critical nature of the targeted data.

"While many hospitals have the technology to defend against these threats, they lack large and highly skilled teams. Automation is key: technology must take on the heavy lifting, to allow healthcare professionals to prioritise both immediate care and ever-present cyber threats."

The news of ransomware attack against Serco comes as UK Research and Innovation (UKRI) said last week that it had been hit with a cyber attack, resulted in some of its data being encrypted by a third party.

UKRI said that many of its web assets were adversely impacted following the security incident, including a portal of the UK Research Office (UKRO), the BBSRC extranet.

The British branch of Mensa, the society for people with high IQs, also admitted last week that it had fallen victim to a cyber attack.

The society said that it was investigating the incident, which 'involved considerable resources'.