Ransomware cyber

NHS Professionals

Jun 13, 2025 1 min read
NHS Professionals

A cyberattack targeting NHS Professionals, a private company owned by the Department of Health and Social Care, resulted in the theft of its Active Directory data. The attack, which occurred in May 2024, was a failed ransomware attempt but led to the theft of a highly valuable ntds.dit file. The criminals moved laterally within the organization's network using RDP and SMB share access, although it's not clear how they escalated their privileges up to the domain admin level. Despite the breach, the organization confirmed that no data or other information was compromised, and there was no disruption to services.

Source: https://www.techradar.com/pro/security/nhs-recruitment-firm-had-major-security-bugs-which-could-have-exposed-entire-systems

TPRM report: https://scoringcyber.rankiteo.com/company/nhs-professionals-limited

"id": "nhs137061325",
"linkid": "nhs-professionals-limited",
"type": "Ransomware",
"date": "6/2025",
"severity": "75",
"impact": "",
"explanation": "Attack limited on finance or reputation: Attack on which customers experience fraudulent activity"
{'affected_entities': [{'industry': 'Healthcare',
                        'location': 'England',
                        'name': 'NHS Professionals',
                        'size': '1,000 employees, 190,000 registered '
                                'healthcare professionals',
                        'type': 'Private Company'}],
 'attack_vector': 'Compromised Citrix Account',
 'data_breach': {'data_exfiltration': 'Yes',
                 'file_types_exposed': 'ntds.dit file',
                 'type_of_data_compromised': 'Active Directory data'},
 'date_detected': 'May 2024',
 'description': 'A cyberattack targeting NHS Professionals resulted in the '
                'theft of its Active Directory data. The attack occurred in '
                'May 2024 but was never publicly disclosed.',
 'impact': {'data_compromised': 'Active Directory data, ntds.dit file'},
 'initial_access_broker': {'entry_point': 'Compromised Citrix Account',
                           'high_value_targets': 'Active Directory data'},
 'investigation_status': 'Completed',
 'lessons_learned': 'Lack of multi-factor authentication (MFA) on domain '
                    'accounts and insufficient endpoint detection and response '
                    'solutions allowed attackers access.',
 'motivation': 'Data Theft, Ransomware',
 'post_incident_analysis': {'root_causes': 'Lack of multi-factor '
                                           'authentication (MFA) on domain '
                                           'accounts, insufficient endpoint '
                                           'detection and response solutions'},
 'ransomware': {'data_exfiltration': 'Yes'},
 'references': [{'source': 'The Register'}],
 'regulatory_compliance': {'regulatory_notifications': 'Information '
                                                       "Commissioner's Office"},
 'response': {'third_party_assistance': 'Deloitte, NHS England, Department of '
                                        'Health and Social Care, Information '
                                        "Commissioner's Office"},
 'threat_actor': 'Scattered Spider',
 'title': 'Cyberattack on NHS Professionals',
 'type': 'Ransomware Attempt',
 'vulnerability_exploited': 'Lack of multi-factor authentication (MFA) on '
                            'domain accounts'}
Published by
Jeremy C
Jeremy C
You might also like
Ransomware cyber

EUMETSAT

public 1 min read
EUMETSAT, a European meteorological organization, was victimized by Fog ransomware. The attack was atypical, utilizing legitimate and open-source tools like…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.