A group of Russian cybercriminals is behind the ransomware attack that halted operations and tests in major London NHS hospitals, the former chief executive of the National Cyber Security Centre has said.
Ciaran Martin said the attack on the pathology services firm Synnovis had led to a “severe reduction in capacity” and was a “very, very serious incident”.
Hospitals declared a critical incident after the attack and have cancelled operations and tests and been unable to carry out blood transfusions.
Memos to NHS staff at King’s College hospital, Guy’s and St Thomas’ (including the Royal Brompton and the Evelina London children’s hospital) and primary care services in the capital said there had been a “major IT incident”.
Asked on BBC Radio 4’s Today programme on Wednesday if it was known who attacked Synnovis, Martin said: “Yes. We believe it is a Russian group of cybercriminals who call themselves Qilin.”
A separate source also confirmed to the Guardian that the Qilin group was the assailant. It is understood there is no indication of the attack having spread to other areas of the NHS, despite Synnovis having contracts with other NHS trusts around the country.
Martin told the Guardian that the attack appeared to have been made as disruptive as possible for the company, in a bid to secure a ransom.
“It does look like a targeted operation, designed to hurt so they would have to pay up,” he said.
However, the tech company behind Synnovis, Munich-based Synlab, was hit by a ransomware attack in April from a different group – known as BlackBasta – and does not appear to have paid a ransom. Typically, ransomware gangs extract data from the victim’s IT system and demand a payment for its return.
Data from the hack of Synlab’s Italian branch was published online in full last month, indicating that no ransom payment had been made. It is not illegal in the UK to pay ransomware gangs, although it is against the law to pay ransoms if the affected entity knows or suspects that the proceeds will be used to fund terrorism.
Martin said most ransomware gangs operate within Russia, albeit without direct influence from the Russian state. “Most of these groups are Russian-hosted and tolerated, but not directed by the state. Russia is a giant safe haven for cybercrime,” he said.
Qilin is known as a ransomware-as-a-service group, which hires out malware to fellow criminals in exchange for a cut of the proceeds and also vets who is targeted.
Last year, victims of ransomware attacks paid out a record $1.1bn to assailants, according to the cryptocurrency research firm Chainalysis – double the 2022 total.
Ransomware gangs typically demand payment in cryptocurrency, which they find easier to move across international boundaries and can be less traceable if certain exchanges are used. The average ransomware payment over the past year has risen 500% to $2m (£1.6m) according to Sophos, a British cybersecurity company. The NCSC, part of the UK’s GCHQ intelligence agency, is investigating the impact of the cyber-attack along with NHS officials.
Synnovis said the incident had been reported to the police and the information commissioner, the UK’s data watchdog.
The health secretary, Victoria Atkins, wrote on X on Wednesday: “Throughout yesterday I had meetings with NHS England and the National Cyber Security Centre to oversee the response to the cyber-attack on pathology services in south-east London.
“My absolute priority is patient safety and the safe resumption of services in the coming days.”
Synnovis’s chief executive, Mark Dollar, said a taskforce of IT experts from Synnovis and the NHS was working to fully assess the impact and what action was needed.
According to the Health Service Journal, one senior source said gaining access to pathology results could take “weeks, not days”.
