Qilin ransomware group blamed for attack on London hospitals

The cyberattack that led to several London hospitals declaring a state of emergency on Monday is believed to have been carried out by the ransomware-as-a-service (RaaS) group Qilin, former National Cyber ​​​​Security Centre CEO Ciaran Martin said on BBC Radio 4’s Today programme on Wednesday.

According to Martin, the Qilin ransomware group is financially motivated and based in Russia. It uses a double extortion tactic by encrypting data on the one hand and threatening to publish it on the other if a ransom is not paid.

The attack targeted Synnovis, a partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and hosts SYNLAB, the largest medical testing and diagnostics provider in Europe.

Due to the compromise and encryption of Synnovis systems, pathology services at the two NHS hospitals as well as the services of various general practitioners in the boroughs of Bexley, Greenwich, Lewisham, Bramley, Southwark and Lambeth have been disrupted, Synnovis CEO Mark Dollar said in a statement on Tuesday.

The consequences of the attack included postponing treatment for non-urgent patients and transferring operations requiring blood transfusions to other, unaffected hospitals.

“NHS systems are a prime target for cybercriminals because a tiny breach can affect multiple units. This is another example of why intrusion mitigation is paramount – containing attacks at the point of entry can dramatically reduce the impact of a breach,” Trevor Dearing, director of critical infrastructure at Illumio, told SC Media in an email. “The ‘chaos factor’, the act of causing massive societal unrest, is the driving force behind many cyberattacks today, and healthcare is one of the few sectors where cyberattacks can have a deadly impact on human lives.”

Who is Qilin?

Qilin, also known as Agenda, is a RaaS provider that first appeared in July 2022, according to SentinelOne’s profile of the group. Qilin tends to target high-value targets such as enterprises and is also known to target the healthcare and education sectors with dual extortion attacks.

The Qilin ransomware exists in both a Golang and a Rust variant. According to an analysis by Cyberint published in March 2024, the Rust variant is particularly evasive, customizable, and difficult to decipher. The ransomware offers multiple encryption modes that can be controlled by the operator and is often distributed via malicious links attached to phishing emails.

Qilin has claimed responsibility for attacks on victims in several countries around the world, including the UK, the US, Canada, Brazil, France and Japan. Qilin has been credited with attacks on Upper Marion Township, Pennsylvania, Etairos Health and Kevin Leeds CPA in the US, and Yanfeng Automotive Interiors in China.

“Like other RaaS operations, Qilin ransomware attacks do not appear to be targeted at a specific country or industry, although the majority of victims are organizations based in North America and Western Europe. Healthcare equipment and services are second only to commercial and professional services as the most affected industry group,” Louise Ferrett, senior threat analyst at dark web threat intelligence firm Searchlight Cyber, told SC Media. “This victimology is likely based primarily on opportunity, as well as which organizations and regions threat actors believe are willing and able to pay a higher ransom.”

On Wednesday, The Record reported that the Qilin dark web extortion site suddenly became unavailable, displaying a 0xF2 error, which often occurs when a dark web site is transferred to a new server.

However, Emsisoft Threat Analyst Brett Callow reported Wednesday afternoon that while the darknet site has been restored, it is “loading extremely slowly,” while the group’s Clear site appears to have been unaffected. It’s unclear why the Qilin site may have gone down, but the group had not added Synnovis to its victim list prior to the disruption, according to The Record.

Healthcare remains the main target of ransomware

The UK’s National Health Service has been hit by several ransomware attacks over the past year, including a breach at Barts Health NHS Trust in July 2023, which ALPHV/BlackCat claimed responsibility for, and the extortion of NHS Dumfries and Galloway by INC Ransom in March this year.

“The healthcare sector has long been a prime target for cybercriminals as it holds a wealth of valuable data, including personal health information and financial data. This risk is particularly acute in the NHS as they use disposable machines with outdated and unsupported software and have multiple users logging into each PC, making these systems incredibly difficult to effectively secure and manage,” Martin Greenfield, CEO of cybersecurity firm Quod Orbis, which continuously monitors cybersecurity, told SC Media.

Greenfield also pointed out that the recent attacks could be due to staff not being adequately trained in cybersecurity to avoid phishing attacks, and the difficulty of monitoring the large amount of diverse assets the NHS manages across the country.

The ransomware risk to healthcare is a global problem. Cisco Talos’ 2023 Global Annual Report identified healthcare and medical services as the sector most affected by ransomware attacks this year. Healthcare was also the sector most affected by ransomware attacks in the United States in 2023, with 249 attacks reported to the FBI’s Internet Crime Complaint Center (IC3) this year.

Recent high-profile ransomware attacks in healthcare, particularly the Change Healthcare attack earlier this year and the recent attack on Ascension Medical Group, have led to increasingly loud calls for government intervention to improve cyber defenses through more funding and policies and prevent the next major attack. Healthcare providers are also under pressure to clean up their acts and avoid becoming the next major healthcare ransomware attack and, more importantly, avoid putting patient care, privacy and lives at risk.

“Traditional reactive approaches are no longer sufficient to contain these threats. Healthcare providers must implement robust security measures that encompass not only their own systems but also those of their third-party providers. This includes continuous monitoring, regular security assessments and comprehensive emergency response plans,” Kevin Kirkwood, deputy CISO at LogRhythm, told SC Media. “By adopting these strategies, healthcare organizations can better protect their critical infrastructure and, most importantly, ensure the safety and trust of their patients.”