Outsourcing giant Serco has confirmed that parts of its infrastructure in mainland Europe have been hit by a double extortion ransomware attack from the emergent Babuk group, but the parts of its operation relating to the NHS Test and Trace programme are unaffected.
The Babuk gang claimed the attack on Thursday 25 October, according to information shared with Computer Weekly, but Serco did not publicly acknowledge the incident until Sunday 31 January, when a spokesperson confirmed the attack to Sky News.
Serco’s spokesperson told the news channel that its European systems were isolated from those in the UK and so there had been no impact on any of its UK operations.
In the ransom note, Babuk’s operators claimed to have had access to Serco’s systems for three weeks, and to have already exfiltrated a terabyte of data. The cyber criminals made specific references to Serco partners, including Nato and the Belgian Army, and threatened Serco with consequences under the General Data Protection Regulation (GDPR)
Although the NHS Test and Trace programme was unaffected by the incident, ThreatConnect EMEA vice-president Miles Tappin said the vulnerabilities in Serco’s wider systems were of great concern, and the Babuk attack exposed “inherent weaknesses of the system”.
“As the government continues to work and implement test and trace technology, it is vital that it collaborates with businesses,” he said. “If more personal data collection is required, they must have security at the forefront of their minds.
“Working together as dynamic teams capable of pulling internal and external threat data and intelligence from multiple sources into one space allows organisations to understand the continually changing threat landscape. This is the only way to ensure they have the resources to defend themselves effectively.”
Tappin added: “To deliver reliable services to society, providers need to build cyber security into their operating models. If done so correctly, they will then be able to ensure their cyber security programmes are effective. Ultimately, this makes it easier to spot relevant threats and attack patterns and gain the context needed to inform response strategies.”
An emergent threat only identified recently, Babuk – also known as Babuk Locker – is a relatively unsophisticated ransomware in technical terms, with its coding described by one researcher as “amateur”.
However, it incorporates very strong encryption features, which makes it an effective threat. According to BleepingComputer, at least one of its victims has already paid a ransom of more than $80,000. Its operators are clearly researching and targeting their victims.
It is currently unclear by what vector Babuk arrives, although there are some unconfirmed reports that it may exploit exposed remote desktop protocol services to gain initial access.
Like many other ransomware operators, the group’s members seem to be under the delusion that they are not criminals, describing themselves as “some kind of a cyberpunks [sic]” who are conducting random penetration testing exercises.
The gang says it does not target victims with annual revenues of under $4m, or hospitals, with the exception of private plastic surgery clinics and dental practices. In what may be a clue as to the cyber criminals’ location, they also claim to steer clear of any non-profit charities, except for LGBTQ+ organisations, or those associated with Black Lives Matter.