Fraud Management & Cybercrime
,
Ransomware
Russian-Speaking Gang Follows Typical Playbook; Critical Services Still Disrupted
The ransomware attack against a pathology services provider in London that’s causing widespread patient disruptions continues to grind through criminals’ typical playbook.
See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical
On June 4, crypto-locking malware hit London-based pathology company Synnovis, which provides crucial services such as blood tests. Synnovis being left unable to access numerous systems and files has led to the ongoing cancellation of medical procedures and other disruptions for patients of southeastern London hospitals and doctors’ practices as the firm works to recover (see: London Hospitals Seek Biologics Backup After Ransomware Hit).
A member of the Russian-speaking Qilin ransomware group tied to the attack told Bloomberg on Tuesday they demanded a $50 million ransom from the victim, payable within 120 hours. Qilin also claimed that they exploited a zero-day vulnerability to gain access to Synnovis’ systems. That claim couldn’t be verified (see: Qilin RaaS Group Believed to Be Behind Synnovis, NHS Attack).
Synnovis is a pathology company founded in 2009 and formerly known as Viapath, which functions as a partnership between Guy’s and St Thomas’ National Health Service Foundation Trust and King’s College Hospitals NHS Trust in London, and Munich-based medical diagnostics provider Synlab.
As of Wednesday morning, Qilin’s Tor-based data leak site didn’t list the company as a victim or include any samples of supposedly stolen data.
“Synnovis is aware of reports that an unauthorized third party has claimed responsibility for this recent cyberattack,” a spokesperson told Information Security Media Group. “Our investigation into the incident remains ongoing, including assessing the validity of the third party’s claims and the nature and scope of the data that may be impacted.”
Cybersecurity expert Brian Honan said the ransom demand issued by the extortionists is “extraordinarily and unusually high,” especially in contrast to the 2021 attack against the Irish Health Service Executive, “which took down the entire IT infrastructure for Ireland’s health service,” and featured a $21 million ransom demand.
“Normally ransomware demands are at a level that the criminals know the victim organization can pay,” said Honan, who’s CEO of Dublin-based BH Consulting. “This demand for $50 million could simply be a publicity stunt by the criminals in order to raise their notoriety amongst future victims as they know by demanding this high extortion fee they will get a lot of media attention, particularly in mainstream media outlets.”
As the company appears to have not paid – as experts urge victims to never do whenever possible – the attackers have begun to do what they typically do next: publicly name and shame the victim, threaten to leak data they claimed to also steal during the attack, and hype their brand (see: Ransomware Groups: Trust Us. Uh, Don’t.).
Restoration Continues
Synnovis in a Monday statement said it’s continuing to restore systems, working closely with Britain’s National Cyber Security Centre, which is the national incident response agency, as well as with NHS England’s Cyber Operations Team.
“Our plan for the restoration of services is comprehensive and well underway, running in parallel to the forensic investigation being led by external specialists,” Mark Dollar, CEO of Synnovis, said on Monday. “Every available resource is focused on this plan.”
The company said its restoration plan “prioritizes both clinical criticality and the safe and secure restoration of services,” and that “in collaboration with our analytical platform suppliers, we have already brought our analyzers back online, which is significant progress at this stage of the recovery process.”
Even so, two weeks post-attack, Synnovis said its ability to process samples remains “significantly reduced,” and that it’s been telling general practitioners to send non-urgent blood tests to other labs as a temporary workaround, so it can better focus on the urgent ones it receives.
The company said it’s also in close contact with the Information Commissioner’s Office – Britain’s data protection regulator – and that the extent of any data breach as yet remains unknown. “Once further information is known we will report in line with Information Commissioner’s Office requirements, and prioritize the notification of any impacted individuals or partners as required,” it said.
NHS England London said the two trusts most affected by the attack – King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust – postponed over 800 planned operations and 700 outpatient appointments in the first week alone following the incident. “The majority of planned activity has continued to go ahead, with some specialties impacted more than others,” it said.
BH Consulting’s Honan said one business resilience takeaway for all organizations should be the need to test how they might fare in the event of a similarly disruptive incident, and prepare accordingly. “What the Synnovis attack also highlights is that our resilience planning needs to extend beyond the systems under our direct control and that we need to look at our supply chains and determine how our organizations can continue to provide services in the event a key supplier is impacted by a cyberattack or other major disruption,” he said.
What is Qilin?
Qilin appears to function as a ransomware-as-a-service group, meaning its operators provide crypto-locking malware to affiliates, run a dedicated data-leak site, and possibly also handle negotiations with victims. The group last year claimed affiliates keep 80% of every ransom worth $3 million or less, and 85% for any ransom worth more, said cybersecurity firm Group-IB.
Many groups, including Qilin, use a data-leak blog to add pressure on victims to pay. By leaking stolen data – or at least claiming to – when victims don’t pay, they try to use it as an example to pressure future victims into paying.
The healthcare sector remains a repeat and often successful target for ransomware-wielding hackers. Whether Synnovis’ attackers expected them to pay $50 million, or at least to use it as a starting point for negotiations or possibly get the British government to help, isn’t clear.
The British government has a policy against paying ransoms, Ciaran Martin, the former CEO of the NCSC, told the BBC earlier this month in the wake of the attack.
Repeat Targets
In April, Synlab’s Italian subsidiary fell victim to a ransomware attack that involved Black Basta ransomware. It reportedly declined to pay a ransom and shortly thereafter said it had restored all operations and was gradually resuming full services. Black Basta subsequently leaked 1.5 terabytes of stolen data on its data leak site, saying the leak includes company data, employee information and personal documents that include as driver’s license photographs, customer data as well as medical analyses including “spermograms, toxicology, anatomy” data and imaging.
Whether the same group of affiliates executed both attacks against the Synlab-tied companies, using Black Basta ransomware in the first instance and Qilin in the second, remains unclear. Cybersecurity experts say ransomware affiliates sometimes work with multiple groups at the same time, and may select which strain of ransomware to use against any given victim in part based on the environment they’re targeting.
Attacks involving Qilin ransomware have been on the rise since early this year, said cybersecurity firm Secureworks. While Qilin appears to have debuted around mid-2022, “it is likely that the group benefitted from the law enforcement disruption caused to both the Alphv/BlackCat and LockBit ransomware schemes in early 2024, prompting their affiliates to move to other programs to continue their criminal endeavors.”