Security experts point to Qilin ransomware as culprit behind the NHS cyberattack that disrupted hospital services.
Security experts investigating a major cyber attack on NHS partner Synnovis that crippled frontline services across South London hospitals believe the attack was carried out by the Qilin ransomware gang.
Synnovis, a provider of laboratory diagnostics services, experienced a ransomware attack on June 3rd that impacted several major NHS trusts that rely on its services, including Guy’s and St Thomas’, King’s College, South London and Maudsley, and Oxleas NHS Foundation trusts. The attack disrupted primary care functions across South London and forced the NHS to declare a critical incident.
Ciaran Martin, former head of the UK’s National Cybersecurity Centre, told the BBC that current analysis points to the Qilin gang being responsible. He noted the gang is usually just seeking a quick payoff and likely did not expect such widespread disruption. However, as a policy, UK public sector bodies do not pay ransom demands.
The attack cancellation surgeries and diagnostic tests. One patient learned at the last minute that heart surgery was cancelled due to issues with blood supplies impacted by the Synnovis attack.
Synnovis CEO Mark Dollar apologized for the disruption, noting the company takes cybersecurity seriously but these types of attacks “can happen to anyone.” He confirmed the company was dealing with a ransomware attack but more details were still emerging. Dollar called it a “harsh reminder” that attackers have no qualms about who is impacted.
Growing Threat from Financially-Motivated Qilin Ransomware Gang
Named after a mythical Chinese creature, the Qilin ransomware gang first emerged in 2022 and has been expanding its operations in areas where other ransoms groups have been disrupted. Security experts report the group was responsible for over 30 attacks already in 2024, up significantly from just 8 in 2023.
Qilin uses the double extortion tactic of encrypting data and stealing information to demand payment. It spreads via phishing emails and exposed remote access points. In an earlier 2024 attack, it compromised The Big Issue, stealing over 500GB of sensitive data on employees, partners and finances.
Healthcare is a frequent target as it holds valuable personal data while relying on aging IT systems and third-party suppliers. Ransom payments are also more likely from US healthcare providers seeking to limit disruption, making it a profitable sector for attackers.
The Synnovis incident serves as a reminder that these attacks can happen to any organization. As system interconnectivity grows through technologies like cloud computing, even well-defended organizations are only as secure as their weakest link like a vulnerable third-party supplier.
Helpful Intel on Qilin Ransomware Group
- Financially motivated with double extortion of data encryption and exfiltration
- Uses Rust and Golang coding languages across platforms like Windows, Linux, macOS
- Spreads through phishing emails and exposed remote system access points
- Healthcare a major target due to valuable data and reliance on legacy or third-party systems
- Attacked The Big Issue UK charity in 2024, stealing 500GB of sensitive data
- Behind 30 reported attacks already in 2024, significantly up from just 8 in prior year
While Synnovis had ransomware protections, the sophisticated Qilin strain was still able to encrypt vital healthcare records and laboratory systems. It remains unclear if a ransom will be paid, though public bodies refuse to do so on principle. The incident serves as an important reminder that even compliant organizations with strong security can fall victim to these cyber attacks.