Several large hospitals in Britain’s capital London face days and possibly weeks of disruption after a partner organization was compromised by a potent ransomware attack.
The attack on June 3 targeted medical diagnostics company Synnovis, causing huge disruption to pathology and testing, an essential service that hospitals depend on for routine diagnostics.
Specifically, the cyberattack caused the connection between the hospitals and the company’s servers to be disconnected, taking down access to essential data.
The incident has badly affected two National Health Service (NHS) hospital trusts responsible for several of the capital’s busiest centers, including St Thomas’ Hospital, King’s College Hospital, Guy’s Hospital, Royal Brompton Hospital, and Evelina London Children’s Hospital.
By June 4, the hospitals started cancelling transplant operations and described blood transfusions as “particularly affected” in an internal memo written by Guy’s and St Thomas’ head, Professor Ian Abbs.
On the same day, Synnovis, a joint venture between the two health trusts involved and German medical testing and diagnostics company Synlab, acknowledged the attack.
“It is still early days, and we are trying to understand exactly what has happened,” it said in a statement. “We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they possibly can be. This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect.”
Only a few weeks earlier, the Italian subsidiary of Synlab was badly affected by a ransomware attack later claimed by an affiliate operating on the Black Basta ransomware-as-a-service (RaaS) platform.
Supply chain pain
Ransomware attacks are now so frequent across the world that they almost feel routine, but incidents affecting hospitals still have the ability to generate extra public anxiety.
Given the time-sensitive nature of medical workflow, hospitals and health systems make the perfect target for extortion.
Widely cited incidents include the 2021 attack on Ireland’s Health Service Executive (HSE), the bill for which reached €102 million ($111 million) plus hundreds of millions in additional security upgrade costs.
In February, a ransomware gang stole an estimated 3 TB of sensitive patient data from NHS Dumfries and Galloway, much of which was later leaked.
Further afield in the same month, ransomware brought large parts of the Romanian health system to a standstill in an attack affecting dozens of hospitals.
However, alongside the notorious WannaCry incident in 2017, this week’s incident still counts as among the most disruptive ever to affect the NHS.
An increasingly common thread in many of these attacks is the targeting of third-party service providers rather than the hospitals themselves. This is a logical evolution: As hospitals become better defended the next points of weakness are the organizations that support them.
Qilin ransomware
In a BBC radio interview this week, former chief executive of the National Cyber Security Centre (NCSC) Ciaran Martin blamed the Russian “Qilin” (aka “Agenda”) RaaS platform for the attack although this has not been confirmed.
According to security company Group-IB, Qilin has been active since 2022, mainly targeting organizations in critical sectors such as healthcare.
The platform — or the affiliates that use it in return for a cut — is not especially prolific by ransomware standards. The latest attack would by some distance be its most consequential compromise to date.
Neither is Qilin especially innovative, adopting a standard double extortion modus operandi that tries to phish credentials or compromise poorly secured Remote Desktop Protocol (RDP) connections.
Once Synnovis has restored services to hospitals, the next worry for the company will be the extent of any data that might have been lost.
As with so many ransomware incidents before it, many details are still up in the air and might not be confirmed for weeks or months, or perhaps ever.