Ransomware Attack Causes Chaos at London Hospitals, Qilin Gang Blamed
London: A ransomware attack by the Qilin ransomware group has wreaked havoc on critical services at five NHS London hospitals, following a strike on England’s NHS partner Synnovis Labs. The attack, which crippled Synnovis’ networks on Monday, has been declared a ‘critical incident’ by the National Health Services (NHS) London.
Synnovis, one of the largest pathology laboratories in the UK, serves as the main provider for King’s College Hospital NHS Foundation Trust, Guy’s and St Thomas’ NHS Foundation Trust, Royal Brompton Hospital, and Evelina London Children’s Hospital. The attack has significantly disrupted services at these hospitals as well as primary care services in southeast London.
“Currently, the full extent of the attack and its impact on data are unknown,” the NHS revealed on Wednesday.
Cyberattack’s Broad Impact
The ransomware group posted Synnovis, previously known as Viapath, on their dark web blog early Wednesday. However, Qilin’s onion site has since gone down, leading to speculation about server changes or law enforcement infiltration. Cybernews later confirmed that the site was slowly coming back online.
NHS London issued a fresh statement on Wednesday with updated information. “The ransomware cyberattack on Synnovis is continuing to cause disruption to services,” an NHS spokesperson said. “NHS England has deployed a cyber incident response team, working round the clock to support Synnovis and provide emergency guidance, while coordinating with health services across the capital to minimize disruption to patient care.”
Some operations and procedures reliant on pathology services have been postponed, and blood testing is being prioritized for urgent cases, leading to the cancellation of some phlebotomy appointments.
Expert Insights and Warnings
Kevin Kirkwood, Deputy CISO at global security intelligence firm LogRhythm, emphasized the broad implications of the attack. “The repercussions of this ransomware attack extend beyond operational and financial disruptions,” Kirkwood said. “The Synnovis attack has compromised blood transfusion IT systems, directly impacting and endangering patient health.”
Kirkwood highlighted that the attack erodes public trust in the institutions responsible for safeguarding health and well-being. He stressed the need for robust security measures not just for healthcare providers’ systems but also for those of their third-party partners. By adopting secure strategies such as continuous monitoring, regular security assessments, and comprehensive incident response plans, healthcare organizations can better protect their critical infrastructure and ensure patient safety and trust.
Qilin Gang’s Modus Operandi
The Qilin gang, also known as Agenda, operates on a ransomware-as-a-service (RaaS) model and has been active since 2022. The group often targets victims with phishing emails and avoids targeting CIS nations, indicating a possible Russian link.
A March 2023 undercover investigation by Group-IB provided insights into Qilin’s inner workings. The gang is known for providing a sample cache of stolen data and publicly outing victims on its dark blog. Notably, the group has been linked to exploiting the zero-day vulnerability known as “Citrix Bleed,” a flaw also used by the LockBit ransomware gang in several high-profile attacks last November, including on Boeing and ICBC Bank.
Uncertain Breach Methods
The exact method by which the attackers breached Synnovis’ IT systems remains unclear. Past incidents, such as the ALPHV/BlackCat ransomware attack on UnitedHealth Group, involved compromised credentials to access systems remotely. The ongoing investigation may provide further details on the attack vector used by the Qilin gang.
As the situation develops, NHS and cybersecurity experts continue to monitor and respond to the intrusion, emphasizing the critical need for enhanced security measures across the healthcare sector.