Outsourcing giant Serco has confirmed that parts of its infrastructure in mainland Europe have been hit by a double extortion ransomware attack from the emergent Babuk group, but the details of its operation relating to the NHS Test and Trace program are unaffected.
According to information shared with Computer Weekly, the Babuk gang claimed the attack on Thursday, 25 October. Still, Serco did not publicly acknowledge the incident until Sunday, 31 January, when a spokesperson confirmed the attack to Sky News.
Serco’s spokesperson told the news channel that its European systems were isolated from those in the UK, so there had been no impact on any of its UK operations.
In the ransom note, Babuk’s operators claimed to have had access to Serco’s systems for three weeks and already exfiltrated a terabyte of data. The cybercriminals made specific references to Serco partners, including Nato and the Belgian Army, and threatened Serco with consequences under the General Data Protection Regulation (GDPR)
Although the NHS Test and Trace program was unaffected by the incident, ThreatConnect EMEA vice-president Miles Tappin said the vulnerabilities in Serco’s broader systems were of great concern, and the Babuk attack exposed “inherent weaknesses of the system”.
“As the government continues to work and implement test and trace technology, it is vital that it collaborates with businesses,” he said. “If more personal data collection is required, they must have security at the forefront of their minds.
“Working together as dynamic teams capable of pulling internal and external threat data and intelligence from multiple sources into one space allows organizations to understand the continually changing threat landscape. This is the only way to ensure they have the resources to defend themselves effectively.”
Tappin added: “To deliver reliable services to society, providers need to build cyber security into their operating models. If done so correctly, they will then be able to ensure their cyber security programs are effective. Ultimately, this makes it easier to spot relevant threats and attack patterns and gain the context needed to inform response strategies.”
An emergent threat only identified recently, Babuk – also known as Babuk Locker – is a relatively unsophisticated ransomware in technical terms, with its coding described by one researcher as “amateur”.
However, it incorporates powerful encryption features, which makes it an effective threat. According to BleepingComputer, at least one of its victims has already paid a ransom of more than $80,000. Its operators are clearly researching and targeting their victims.
It is currently unclear by what vector Babuk arrives, although some unconfirmed reports may exploit exposed remote desktop protocol services to gain initial access.
Like many other ransomware operators, the group’s members seem to be under the delusion that they are not criminals, describing themselves as “some kind of a cyberpunk [sic]” who are conducting random penetration testing exercises.
The gang says it does not target victims with annual revenues under $4m or hospitals, except private plastic surgery clinics and dental practices. In what may be a clue about the cyber criminals’ location, they also claim to steer clear of any non-profit charities, except for LGBTQ+ organizations, or those associated with Black Lives Matter.