Qilin ransomware gang publishes stolen NHS data online

Ransomware gang Qilin has published almost 400GB of sensitive healthcare data online following its high-profile malware attack on pathology laboratory Synnovis, which processes blood tests for NHS organisations across London.

The ransomware incident – which was first detected on 3 June – has affected a number of NHS trusts and GP surgeries using Synnovis’s services across the capital, prompting major disruptions in their ability to deliver patient care, including through blood stock shortages, delays in medical procedures and cancelled appointments.

On 21 June, NHS England said it was made aware that Qilin had published huge amounts of Synnovis’s stolen data online the night before, and that it is working with the company, the National Cyber Security Centre (NCSC) and others to determine the content of the published files as quickly as possible.

“This includes whether it is data extracted from the Synnovis system, and if so whether it relates to NHS patients,” it said in a statement. “As more information becomes available through Synnovis’s full investigation, the NHS will continue to update patients and the public.”

The Russia-based ransomware gang has been attempting to extort Synnovis since hacking the firm, previously telling the BBC they would publish the private information online unless they got paid.

According to the BBC, the data now uploaded to Qilin’s darknet site and Telegram channel includes patient names, dates of birth, NHS numbers and descriptions of blood tests, but it’s currently unknown if test results are also included in the data.

Business account spreadsheets have also been uploaded, detailing arrangements between hospitals, GP services and Synnovis.

Published online

Commenting on the data dump, a Synnovis spokesperson said: “Last night a group claiming responsibility for the cyber attack published data online that they allege belongs to Synnovis.

“We know how worrying this development may be for many people. We are taking it very seriously and an analysis of this data is already underway. This analysis, run in conjunction with the NHS, the National Cyber Security Centre and other partners, aims to confirm whether the data was taken from Synnovis’s systems and what information it contains. We will keep our service users, employees and partners updated as the investigation progresses.”

Speaking to the BBC’s Today programme on 5 June, former NCSC chief executive Ciaran Martin said it was unlikely the gang would receive any money thanks to the UK government’s policy of not allowing public sector organisations to pay ransoms, although he noted that Synnovis, as a private sector organisation, is not under such restrictions.

Martin added that the gang was likely just looking for a quick pay-off and probably didn’t expect to cause such intense disruption when it attacked Synnovis.

Between 10 and 16 June, the second week after the attack, more than 320 planned operations and 1,294 outpatient appointments were postponed at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust.

In total, 1,134 operations have been cancelled in the wake of the attack, which also affected the South London and Maudsley NHS Foundation Trust and Oxleas NHS Foundation Trust, along with GP surgeries, clinics and services in Bexley, Bromley, Greenwich, Lambeth, Lewisham and Southwark.

“Unfortunately, healthcare organisations have been – and will continue to be – a prime target for ransomware attacks because the services they provide are so critical to the communities they serve, and this puts pressure on the targets to get back online as fast as possible,” said Peter Mackenzie, director of incident response at Sophos.

“Further complicating matters is the rise in supply chain attacks across industries,” he said. “They are a preferred method of compromise for a number of criminal groups because, as well as being difficult to defend against, they also have a ripple effect, allowing attackers to infiltrate multiple systems at a time. In fact, IT and cyber professionals working in the UK healthcare sector perceive partners and the supply chain to be their single biggest cyber security risk.”

According to Comparitech, the Qilin gang was responsible for eight confirmed attacks in 2023, and so far this year has claimed over 30.

The ransomware-as-a-service operation uses the now standard double extortion tactic to pressurise its victims. Its ransomware locker uses the cross-platform coding languages Rust and Golang, and spreads mostly through phishing emails – although it has also been known to use exposed applications and interfaces, including remote desktop protocol and Citrix.

Earlier in 2024, it attacked the systems of UK-based publisher and social enterprise The Big Issue, stealing over 500GB of personnel and partner information, contracts, and financial and investment data.