forma82 - stock.adobe.com

Qilin ransomware gang likely behind crippling NHS attack

Security experts investigating a major cyber attack on an NHS partner that has caused frontline services across South London to grind to a halt say the Qilin ransomware gang appears to be the culprit

The Russia-based, financially motivated Qilin ransomware gang is likely behind a developing cyber attack at health service laboratory partner Synnovis, which is disrupting primary care functions across South London and has forced the NHS to declare a critical incident.

The attack, first detected on Monday 3 June, has affected a number of NHS trusts, most prominently Guy’s and St Thomas’ NHS Foundation Trust (including the Royal Brompton and Evelina hospitals) and King’s College NHS Foundation Trust, but also the South London and Maudsley NHS Foundation Trust and Oxleas NHS Foundation Trust, along with GP surgeries, clinics and services in Bexley, Bromley, Greenwich, Lambeth, Lewisham and Southwark, all of which rely on Synnovis services.

Speaking to the BBC’s Today Programme on Wednesday 5 June, former National Cyber Security Centre (NCSC) chief executive Ciaran Martin said the current belief was that Qilin was behind the incident.

Martin said the gang was likely just looking for a quick payoff and probably did not expect to cause such intense disruption when it attacked Synnovis. He said it was unlikely the gang would receive any money thanks to the UK government’s policy of not allowing public sector organisations to pay ransoms, although he noted that Synnovis, as a private sector organisation, is not under such restrictions.

One patient scheduled to undergo heart surgery this week told the BBC he learned of the cancellation of his operation at the last minute, when the surgeon due to carry out the procedure told him there was an issue with the blood bank.

Mark Dollar, CEO of Synnovis, which was established as a joint venture between Germany-based laboratory diagnostics services specialist Synlab and the involved NHS trusts, apologised for the disruption.

“We are incredibly sorry for the inconvenience and upset this is causing to patients, service users and anyone else affected. We are doing our best to minimise the impact and will stay in touch with local NHS services to keep people up to date with developments,” said Dollar.

He confirmed that Synnovis was indeed dealing with a ransomware attack, but said it was still early days and the organisation was still working to establish the facts of the incident.

This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect
Mark Dollar, Synnovis

“A taskforce of IT experts from Synnovis and the NHS is working to fully assess the impact this has had, and to take the appropriate action needed. We are working closely with NHS trust partners to minimise the impact on patients and other service users… Regrettably, this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised,” he said.

“We take cyber security very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they possibly can be. This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect,” said Dollar.

A spokesperson for NHS England – London Region, said: “On Monday 3 June, Synnovis, a provider of lab services, was the victim of a ransomware cyber attack.

“This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south-east London and we apologise for the inconvenience this is causing to patients and their families.

“Emergency care continues to be available, so patients should access services in the normal way by dialling 999 in an emergency and otherwise using 111, and patients should continue to attend appointments unless they are told otherwise. We will continue to provide updates for local patients and the public about the impact on services and how they can continue to get the care they need.”

The incident has been reported to law enforcement and the Information Commissioner’s Office (ICO), and those involved are receiving support from the NCSC.

Healthcare increasingly attacked

Although it is yet to be established whether or not the victimisation of Synnovis was opportunistic or targeted, the healthcare sector is one of the most frequently attacked by ransomware gangs.

Indeed, according to Blackfog’s most recent monthly ransomware report – covering May 2024 – it is now the “most” attacked, with 57 known incidents during the period, up 30% in the space of just a few weeks.

Healthcare systems around the world – not just the NHS – are particularly vulnerable to such attacks for a number of reasons: they hold huge amounts of highly sensitive and valuable data; often rely on legacy technology, a particularly acute problem for many NHS trusts; are highly exposed to the risk of compromise through third-party suppliers as has happened here; and because they are focused primarily, and rightly, on patient care, may neglect security awareness training for clinical staff.

A not insignificant factor in the volume of attacks is the fact that American healthcare systems, which are run by private enterprises for profit and not by the state, have no legal restrictions on paying ransoms and may be more motivated to do so to avoid disruption.

Growing threat from Qilin

Named for a legendary Chinese chimera, the Qilin crew was first observed in 2022, but in recent months, has been expanding into gaps left by the disruption of operations such as LockBit and ALPHV/BlackCat.

According to Comparitech, the gang was responsible for eight confirmed attacks in 2023, and so far this year it has claimed over 30.

The ransomware-as-a-service operation uses the now standard double extortion tactic to pressurise its victims. Its ransomware locker uses the cross-platform coding languages Rust and Golang, and spreads mostly through phishing emails, although it has also been known to use exposed applications and interfaces, including remote desktop protocol and Citrix.

Earlier in 2024, it attacked the systems of UK-based publisher and social enterprise The Big Issue, stealing over 500GB of personnel and partner information, contracts, and financial and investment data.

Read more on Hackers and cybercrime prevention

Search CIO
Search Security
Search Networking
Search Data Center
Search Data Management
Close