close
close

Qilin ransomware gang believed to be behind crippling NHS attack

The Russia-based and financially motivated Qilin ransomware gang is likely behind a cyberattack on laboratory partner company Synnovis that has disrupted primary healthcare across south London and forced the NHS to declare a critical incident.

The attack, first discovered on Monday 3 June, affected a number of NHS Trusts, most notably Guy’s and St Thomas’ NHS Foundation Trust (including Royal Brompton and Evelina hospitals) and King’s College NHS Foundation Trust, but also South London and Maudsley NHS Foundation Trust and Oxleas NHS Foundation Trust, as well as GP surgeries, clinics and services in Bexley, Bromley, Greenwich, Lambeth, Lewisham and Southwark, all of which rely on Synnovis’ services.

In conversation with the BBC Today’s program On Wednesday, June 5, former CEO of the National Cyber ​​​​Security Centre (NCSC), Ciaran Martin, said it is currently believed that Qilin was behind the incident.

Martin said the gang was probably just looking for a quick payment and probably did not expect such a big disruption in their attack on Synnovis. He said it was unlikely the gang would receive any money as the UK government does not allow public organisations to pay ransoms. However, he noted that as a private organisation, Synnovis is not subject to any such restrictions.

A patient scheduled to undergo heart surgery this week told the BBC he only learned of the cancellation of his procedure at the last minute, when the surgeon in charge of the procedure told him there was a problem with the blood bank.

Mark Dollar, CEO of Synnovis, which was founded as a joint venture between Germany-based laboratory diagnostic services specialist Synlab and the NHS trusts involved, apologised for the disruption.

“We deeply regret the inconvenience and upset this is causing to patients, service users and anyone else affected. We are doing our best to minimise the impact and will stay in touch with local NHS services to keep people updated on developments,” Dollar said.

He confirmed that Synnovis was indeed a ransomware attack, but said it was still early days and the organization was still working to determine the facts of the incident.

This is a harsh reminder that these types of attacks can happen to anyone at any time and that, unfortunately, the people behind them have no scruples about who their actions might affect.

Mark Dollar, Synnovis

“A taskforce of IT experts from Synnovis and the NHS is working to fully assess the impact and take the necessary actions. We are working closely with NHS trust partners to minimise the impact on patients and other service users… Unfortunately, this is affecting patients as some activities have already been cancelled or diverted to other providers as urgent work takes priority,” he said.

“We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as secure as possible. This is a harsh reminder that these types of attacks can affect anyone at any time and, dishearteningly, the people behind them have no qualms about who their actions might affect,” Dollar said.

A spokesperson for NHS England – London Region said: “On Monday 3 June, Synnovis, a provider of laboratory services, was the victim of a ransomware cyberattack.

“This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary health services in south east London and we apologise for any inconvenience this is causing to patients and their families.

“Emergency care remains available, so patients should access services as normal by dialling 999 in an emergency and using 111 otherwise. Patients should continue to attend appointments unless they are told otherwise. We will continue to keep local patients and the public updated on the impact on services and how they can continue to receive the care they need.”

The incident has been reported to law enforcement and the Information Commissioner’s Office (ICO) and those involved are receiving support from the NCSC.

The healthcare system is increasingly under attack

Although it is not yet clear whether Synnovis was targeted or opportunistic, the healthcare sector is one of the most frequently targeted sectors by ransomware gangs.

According to Blackfog’s latest monthly ransomware report (covering May 2024), this malware is now the “most frequently” attacked malware, with 57 incidents reported during this period, a 30% increase in just a few weeks.

Healthcare systems around the world – not just the UK NHS – are particularly vulnerable to such attacks for a number of reasons: they store huge amounts of highly sensitive and valuable data; they often rely on outdated technology, which is a particularly acute problem for many NHS trusts; they are highly exposed to the risk of third-party compromise, as has happened here; and because they are primarily and rightly focused on patient care, they may neglect security awareness training for clinical staff.

A significant factor in the large number of attacks is the fact that in the American healthcare system, which is run by for-profit private companies rather than the government, there are no legal restrictions on paying ransoms and the motivation to pay ransoms may be greater to avoid disruption.

Growing threat from Qilin

Named after a legendary Chinese chimera, the Qilin crew was first spotted in 2022 but has expanded in recent months into gaps created by the disruption of operations such as LockBit and ALPHV/BlackCat.

According to Comparitech, the gang was responsible for eight confirmed attacks in 2023 and has claimed over 30 so far this year.

The ransomware-as-a-service attack employs the now-common double extortion tactic to pressure its victims. Its ransomware locker uses the cross-platform programming languages ​​Rust and Golang and spreads primarily via phishing emails, although it has also been known to use exposed applications and interfaces, including Remote Desktop Protocol and Citrix.

In early 2024, it attacked the systems of UK-based publisher and social enterprise The Big Issue, stealing over 500GB of staff and partner information, contracts, and financial and investment data.