Fraud Management & Cybercrime , Ransomware

UK Pathology Lab Ransomware Attackers Demanded $50 Million

Russian-Speaking Gang Follows Typical Playbook; Critical Services Still Disrupted
UK Pathology Lab Ransomware Attackers Demanded $50 Million
The attack has disrupted patient care at multiple London hospitals, including ones that are part of Guy's and St Thomas' NHS Foundation Trust. (Image: Shutterstock)

The ransomware attack against a pathology services provider in London that's causing widespread patient disruptions continues to grind through criminals' typical playbook.

See Also: The Cost of Underpreparedness to Your Business

On June 4, crypto-locking malware hit London-based pathology company Synnovis, which provides crucial services such as blood tests. Synnovis was left unable to access numerous systems and files, which has led to the ongoing cancellation of medical procedures and other disruptions for patients of southeastern London hospitals and doctors' practices as the firm works to recover (see: London Hospitals Seek Biologics Backup After Ransomware Hit).

A member of the Russian-speaking Qilin ransomware group tied to the attack told Bloomberg on Tuesday they demanded a $50 million ransom from the victim, payable within 120 hours. Qilin also claimed that they exploited a zero-day vulnerability to gain access to Synnovis' systems. That claim couldn't be verified (see: Qilin RaaS Group Believed to Be Behind Synnovis, NHS Attack).

Synnovis is a pathology company founded in 2009 and formerly known as Viapath. It functions as a partnership between Guy's and St Thomas' National Health Service Foundation Trust and King's College Hospitals NHS Trust in London and Munich-based medical diagnostics provider Synlab.

As of Wednesday morning, Qilin's Tor-based data leak site didn't list the company as a victim or include any samples of supposedly stolen data.

"Synnovis is aware of reports that an unauthorized third party has claimed responsibility for this recent cyberattack," a spokesperson told Information Security Media Group. "Our investigation into the incident remains ongoing, including assessing the validity of the third party's claims and the nature and scope of the data that may be impacted."

Cybersecurity expert Brian Honan of BH Consulting said the ransom demand issued by the extortionists is "extraordinarily and unusually high," especially compared to the 2021 attack against the Irish Health Service Executive, "which took down the entire IT infrastructure for Ireland's health service" and featured a $21 million ransom demand.

"Normally, ransomware demands are at a level that the criminals know the victim organization can pay," said Honan, the CEO of Dublin-based BH Consulting. "This demand for $50 million could simply be a publicity stunt by the criminals in order to raise their notoriety amongst future victims as they know by demanding this high extortion fee they will get a lot of media attention, particularly in mainstream media outlets."

As the company appears to have not paid - experts urge victims to not pay whenever possible - the attackers have begun to do what they typically do next: publicly name and shame the victim, threaten to leak data they claim to have stolen during the attack, and hype their brand (see: Ransomware Groups: Trust Us. Uh, Don't.).

Restoration Continues

Synnovis in a Monday statement said it's continuing to restore systems, working closely with Britain's National Cyber Security Center, which is the national incident response agency, as well as with NHS England's Cyber Operations Team.

"Our plan for the restoration of services is comprehensive and well underway, running in parallel to the forensic investigation being led by external specialists," Mark Dollar, CEO of Synnovis, said on Monday. "Every available resource is focused on this plan."

The company said its restoration plan "prioritizes both clinical criticality and the safe and secure restoration of services," and that "in collaboration with our analytical platform suppliers, we have already brought our analyzers back online, which is significant progress at this stage of the recovery process."

Even so, two weeks post-attack, Synnovis said its ability to process samples remains "significantly reduced" and that it's been telling general practitioners to send non-urgent blood tests to other labs as a temporary workaround, so it can better focus on the urgent ones it receives.

The company said it's in close contact with the Information Commissioner's Office - Britain's data protection regulator - and that the extent of any data breach as yet remains unknown. "Once further information is known we will report in line with Information Commissioner's Office requirements, and prioritize the notification of any impacted individuals or partners as required," it said.

NHS England London said the two trusts most affected by the attack - King's College Hospital NHS Foundation Trust and Guy's and St Thomas' NHS Foundation Trust - postponed over 800 planned operations and 700 outpatient appointments in the first week following the incident. "The majority of planned activity has continued to go ahead, with some specialties impacted more than others," it said.

Honan said one business resilience takeaway for all organizations is the need to test how they might fare in the event of a similarly disruptive incident and prepare accordingly. He said that "resilience planning needs to extend beyond the systems under our direct control" and that "we need to look at our supply chains and determine how our organizations can continue to provide services in the event a key supplier is impacted by a cyberattack or other major disruption."

What Is Qilin?

Qilin appears to function as a ransomware-as-a-service group, meaning its operators provide crypto-locking malware to affiliates, run a dedicated data leak site and possibly also handle negotiations with victims. The group last year claimed affiliates keep 80% of every ransom worth $3 million or less and 85% of any ransom worth more, said cybersecurity firm Group-IB.

Many groups, including Qilin, use a data leak blog to put pressure on victims to pay. By leaking stolen data - or at least claiming to do so - when victims don't pay, they use that as an example to pressure future victims into paying.

The healthcare sector remains a repeat and often successful target for ransomware-wielding hackers. It isn't clear whether Synnovis' attackers expected the company to pay $50 million or to use it as a starting point for negotiations or to get the British government to help.

The British government has a policy against paying ransoms, Ciaran Martin, the former CEO of the NCSC, told the BBC earlier this month in the wake of the attack.

Repeat Targets

In April, Synlab's Italian subsidiary fell victim to a ransomware attack that involved Black Basta ransomware. It reportedly declined to pay a ransom and shortly thereafter said it had restored all operations and was gradually resuming full services. Black Basta subsequently leaked 1.5 terabytes of stolen data on its data leak site and said the leak includes company data, employee information and personal documents such as driver's license photographs, customer data and medical analyses including "spermograms, toxicology, anatomy" data and imaging.

Whether the same group of affiliates executed both attacks against the Synlab-tied companies, using Black Basta ransomware in the first instance and Qilin in the second, remains unclear. Cybersecurity experts say ransomware affiliates sometimes work with multiple groups at the same time and may select which strain of ransomware to use against any given victim in part based on the environment they're targeting.

Attacks involving Qilin ransomware have been on the rise since early this year, said cybersecurity firm Secureworks. While Qilin appears to have debuted around mid-2022, "it is likely that the group benefited from the law enforcement disruption caused to both the Alphv/BlackCat and LockBit ransomware schemes in early 2024, prompting their affiliates to move to other programs to continue their criminal endeavors."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.