Ransomware attack chaos at London hospitals blamed on Qilin gang


The ransomware attack on England NHS partner Synnovis labs – which triggered a pause on critical services at five NHS London hospitals – has been claimed by the Qilin ransomware group.

The attack, which knocked out Synnovis’ networks on Monday, has disrupted services at multiple hospitals across London and has been officially declared a 'critical incident' by the National Health Services (NHS) London.

“At present the full extent of the attack, as well as the impact upon data, is not known,” the NHS revealed on Wednesday.

ADVERTISEMENT

Synnovis is considered one of the largest “purpose-built pathology laboratories” hub in the UK, making it the main provider for the affected hospitals.

Those hospitals include King’s College Hospital NHS Foundation Trust, Guy’s and St Thomas’ NHS Foundation Trust, Royal Brompton Hospital, and Evelina London Children's Hospital, as well as primary care services in the southeast part of the capital, the NHS said.

Synnovis cyberattack London Hospitals

Synnovis runs over 100 specialized labs across London, offering testing and diagnostics for dozens of conditions, from diabetes, genetics, and neuropathy to blood transfusions, immunology, and oncology, according to its website.

Apparently, the ransom gang posted Synnovis (formally Viapath) on their dark leak blog early Wednesday but since then, Qilin’s onion site has been down leading to speculation its administrators were either porting to a new server or being infiltrated by law enforcement.

As it appeared the Qilin site was slowly coming back online, Cybernews can confirm. by late Wednesday, the latter is unlikely.

Disruption of services ongoing

Meantime, NHS London put out a fresh statement Wednesday updated with the latest information.

ADVERTISEMENT

“The ransomware cyberattack on Synnovis is continuing to cause disruption to services,” an NHS spokesperson said.

“NHS England has deployed a cyber incident response team, which is working round the clock to support Synnovis and provide emergency guidance, as well as coordinating with health services across the capital to minimize disruption to patient care,” the national agency said.

NHS statement June 5th Synnovis
England.nhs.uk. Image by Cybernews

“Unfortunately, some operations and procedures which rely more heavily on pathology services have been postponed, and blood testing is being prioritized for the most urgent cases, meaning some patients have had phlebotomy appointments canceled, “ the NHS spokesperson said.

Although the NHS announced that all urgent and emergency services “remain open as usual… with longer wait times,” Kevin Kirkwood, Deputy CISO at global security intelligence firm LogRhythm, said, “the repercussions of this ransomware attack extend beyond operational and financial disruptions.”

The Synnovis attack has “compromised blood transfusion IT systems, directly impacting and endangering patient health,” Kirkwood pointed out.

Kirkwood said “the aftermath not only highlights the immediate impact of ransomware attacks on healthcare facilities but also erodes public trust in the very institutions responsible for safeguarding our health and well-being.”

Synnovis labs hack
Image by Synnovis.

"The interconnected nature of modern healthcare systems, coupled with reliance on third-party providers, poses significant risks to healthcare providers,” said Kirkwood, adding that “traditional reactive approaches are no longer sufficient.”

Kirkwood stressed that healthcare providers must implement “robust security measures not just their own systems but also those of their third-party partners.”

ADVERTISEMENT

By adopting secure strategies, such as continuous monitoring, regular security assessments, and comprehensive incident response plans, Kirkwood said, “healthcare organizations can better protect their critical infrastructure and, most importantly, ensure the safety and trust of their patients."

Who is the Qilin gang?

A 2023 March undercover investigation by Group-IB has shed some light into the inner workings of the lesser known Qilin gang.

The group, which operates as a ransomware-as-a-service (RaaS) model, was first seen on the ransomware circuit in 2022 and often targets its victims with phishing emails.

Qilin, also known by the moniker Agenda, is believed to be Russian-linked, as the gang vows to avoid targeting CIS nations.

The threat actors will often provide a sample cache of the data allegedly stolen during an attack along with outing its victims on its dark blog. However, because its site is still down, it's unclear what has been posted on it.

Below is an example from a November 2023 ransomware attack on Yanfeng – one of the top North American auto parts suppliers for GM and Chrysler, Jeep, Dodge, and Ram.

Yanfeng Qilin dark blog
Qilin leak site. Image by Cybernews.

The cybercriminal group has also been linked to exploiting its victims with the destructive zero-day vulnerability known as the “Citrix Bleed.”

The Citrix bug was disclosed last summer by the cloud computing company and since patched, although many companies have been slow to do so, according to security insiders.

ADVERTISEMENT

The zero-day was also a favorite flaw of the LockBit ransomware gang, who used it to successfully attack several high-profile victims last November including Boeing, ICBC Bank, Allen & Overy, and DP World Australia.

Last month, the CEO of UnitedHealth Group, testifying in Washington about the devastating Change healthcare hack, revealed that the ALPHV/BlackCat ransom group used ‘compromised credentials to remotely access a Change Healthcare Citrix portal.”

So far, there has been no word on how the attackers were able to breach Synnovis’ IT systems.