The healthcare and public health (HPH) sector has been cautioned about the Qilin ransomware group that has been attacking healthcare providers because of their dependence on uptime and the sensitive data they maintain. About 7% of ransomware attacks were conducted on healthcare organizations by the Qilin ransomware group.
One recent attack disrupted the healthcare services provided by London hospitals. The group targeted a National Health Service (NHS) pathology services vendor (Synnovis), which conducts blood tests for NHS trusts and GP clinics in south-east London. The attack didn’t directly impact any NHS hospitals because it was restricted to the Synnovis systems. However, it has prompted massive disturbance by cancelling thousands of NHS operations and visits. Blood testing services were limited to about 10% of regular numbers. Because of the attack, there were issues with blood matching resulting in a scarcity of O-negative and O-positive blood. Synnovis is working on the recovery, which may take weeks to several months until full recovery.
The Qilin ransomware-as-a-service group uses double extortion tactics, which entails stealing data before file encryption and threatening the victims that their data will be published if they do not pay the ransom. Qilin stole 400GB of data during the Synnovis attack and demanded a $50 million ransom. When no ransom was paid, Qilin published the stolen information on its dark web data leak website. The breached data consists of blood test data, and personal and medical data gathered from 300 million patient visits of NHS.
Qilin is assumed to have come from Russia and first appeared in 2022. The group was first called Agenda Ransomware and later became Qilin. It recruits affiliates, mostly from CIS countries, to execute attacks. Qilin delivers the ransomware, tools, and infrastructure and gets 15% to 20% of ransom payments. The group originated many attacks that demanded ransom payments from $50,000 to $800,000, although the demands could be higher, just like in the Synnovis attack.
Qilin is conducting more attacks, with a minimum of 60 attacks done to date in 2024. The affiliates mainly attack Windows devices, though, in December 2023, the group began targeting the Linux version on VMware ESXi servers. Preliminary access is often acquired via phishing and spear phishing email messages, though the group likewise takes advantage of exposed software and interfaces like Citrix and remote desktop protocol (RDP). One group member claims to have taken advantage of a zero-day vulnerability during the Synnovis attack but did not say which vulnerability.
The group utilizes Remote Monitoring and Management (RMM) solutions and Cobalt Strike to implement the ransomware binary when access is acquired. Agenda ransomware can multiply utilizing PsExec and SecureShell, and various vulnerable SYS drivers are employed to avoid defence. The Health Sector Cybersecurity Coordination Center (HC3) has discussed MITRE ATTACK Tactics & Techniques, indicators of compromise, and suggested mitigations in its published Qilin Threat Profile that can be viewed on the American Hospital Association web page. This information should be included in HIPAA training for healthcare employees to increase awareness of Qilin ransomware attacks.