The cyberattack that led multiple London hospitals to declare a state of emergency on Monday is believed to be the work of the ransomware-as-a-service (RaaS) group Qilin, former National Cyber Security Centre CEO Ciaran Martin said on BBC Radio 4’s Today program Wednesday.
Martin said the Qilin ransomware group is financially motivated and Russia-based, using double extortion tactics to both encrypt data and threaten to publish it if a ransom is not paid.
The attack was performed against Synnovis, which is a partnership between the Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and hosts SYNLAB, which is the largest provider of medical testing and diagnostics in Europe.
Due to the compromise and encryption of Synnovis systems, pathology services were interrupted at the two NHS hospitals as well as various general practitioner services across the boroughs of Bexley, Greenwich, Lewisham, Bramley, Southwark and Lambeth, Synnovis CEO Mark Dollar said in a statement Tuesday.
Consequences of the attack have included postponement of non-emergency patient care and deferment of operations requiring blood transfusion to other unaffected hospitals.
“NHS systems are a prime target for cybercriminals because one tiny breach can impact multiple entities. This is another example of why breach containment is paramount – containing attacks at the point of entry can dramatically reduce the impact of a breach,” Trevor Dearing, director of critical infrastructure at Illumio, told SC Media in an email. “The ‘chaos factor,’ the act of causing mass societal upheaval, is now the driving force behind many cyberattacks, and healthcare is one of the few sectors where cyberattacks can fatally impact human life.”
Who is Qilin?
Qilin, also known as Agenda, is an RaaS provider that first emerged in July 2022, according to SentinelOne’s profile of the group. Qilin tends to target high-value targets such as enterprises and has also been known to target the healthcare and education sectors with double extortion attacks.
The Qilin ransomware has both Golang and Rust variants, with the Rust variant being especially evasive, customizable and difficult to decipher, according to a Cyberint analysis published in March 2024. The ransomware offers multiple encryption modes that can be controlled by the operator and is frequently spread via malicious links attached to phishing emails.
Qilin has claimed attacks against victims in several countries across the globe, including the United Kingdom, United States, Canada, Brazil, France and Japan. Qilin has been attributed to attacks against Upper Marion Township (Pennsylvania), Etairos Health and Kevin Leeds CPA in the United States, and Yanfeng Automotive Interiors in China.
“Like other RaaS operations, attacks using Qilin ransomware do not appear to be targeted to a specific country or industry, though the majority of its victims are organizations based in North America and Western Europe. Health Care Equipment and Services rank second in terms of most-impacted industry group, after Commercial and Professional Services,” Louise Ferrett, senior threat intelligence analyst at dark web threat intelligence company Searchlight Cyber, told SC Media. “This victimology is likely informed primarily by opportunity, as well as by which organizations and geographies threat actors believe will be willing and able to pay a larger ransom.”
On Wednesday, The Record reported that Qilin’s dark web extortion site had suddenly become unavailable and displayed an 0xF2 error, which is common when a dark web site is being transferred to a new server.
However, Emsisoft Threat Analyst Brett Callow reported Wednesday afternoon that the dark web site was restored but “extremely slow to load,” while the group’s clear web site appeared to be unaffected. It is unclear why the Qilin site may have gone down, but the group had not added Synnovis to its victim list prior to the interruption, according to The Record.
Healthcare continues to be prime target for ransomware
Multiple ransomware attacks have impacted UK’s National Health Service over the past year, including a July 2023 breach of the Barts Health NHS Trust claimed by ALPHV/BlackCat and the extortion of NHS Dumfries and Galloway by INC Ransom in March of this year.
“The healthcare sector has long been a prime target for cybercriminals due to the wealth of valuable data they hold, including personal health information and financial data. This risk is especially pronounced in the NHS due to their reliance on single-use machines running outdated and unsupported software, along with the practice of multiple users logging onto each PC, making it incredibly difficult to secure and manage these systems effectively,” Martin Greenfield, CEO of cybersecurity continuous monitoring firm Quod Orbis, told SC Media.
Greenfield also noted a lack of employee cybersecurity training to avoid phishing attacks, and difficulty monitoring the large amount of diverse assets the NHS manages across the country, could be at play in the recent attacks.
The ransomware risk to healthcare is a global problem, with Cisco Talos’ global 2023 Year in Review report identifying healthcare and medical services as the sector most targeted by ransomware attacks that year. Healthcare was also the most targeted sector for ransomware attacks in the United States in 2023, with 249 attacks reported to the FBI’s Internet Crime Complaint Center (IC3) that year.
Recent high-profile healthcare ransomware attacks, namely the Change Healthcare breach earlier this year and, more recently, the attack on Ascension Medical Group, have led to growing calls for government intervention to improve cyber defenses through greater funding and policy to prevent the next major attack. Healthcare providers are also under pressure to clean up their act and avoid being the next big ransomware healthcare, and more importantly, avoid putting patients’ care, privacy and lives at risk.
“Traditional reactive approaches are no longer sufficient to mitigate these threats. Healthcare providers need to implement robust security measures that encompass not just their own systems but also those of their third-party providers. This includes continuous monitoring, regular security assessments, and comprehensive incident response plans,” Kevin Kirkwood, deputy CISO at LogRhythm, told SC Media. “By adopting these strategies, healthcare organizations can better protect their critical infrastructure and, most importantly, ensure the safety and trust of their patients.”
