Warning Issued to HPH Sector About Qilin Ransomware Group
A warning has been issued to the healthcare and public health (HPH) sector about the Qilin ransomware group, which is known to attack healthcare organizations due to their reliance on uptime and the sensitivity of the data they hold. Around 7% of the ransomware attacks conducted by the group have been on healthcare organizations.
One of the most recent attacks has caused massive disruption to healthcare services in London. The group attacked a National Health Service (NHS) pathology vendor (Synnovis), which manages blood tests for NHS trusts and GP offices in south-east London. The attack did not directly affect any NHS hospitals as it was confined to Synnovis systems, but it has caused massive disruption with thousands of NHS surgeries and appointments canceled, and blood testing services have been reduced to around 10% of normal levels. The attack has caused major problems with blood matching, leading to a shortage of O-positive and O-negative blood. Synnovis expects the recovery to take weeks and anticipates a full recovery will take several months.
Qilin is a ransomware-as-a-service group that engages in double extortion tactics, where data is stolen prior to file encryption and threats are issued to publish the data if the ransom is not paid. Qilin stole 400GB of data in the attack on Synnovis, and when the $50 million ransom demand was not paid, Qilin uploaded the stolen data to its dark web data leak site. The data dump includes blood test results personal and health information collected in 300 million patient interactions with the NHS.
Qilin is believed to originate from Russia and has been in operation since 2022. The group started as Agenda ransomware before rebranding as Qilin, and recruits affiliates, primarily from CIS countries, to conduct attacks. Qilin provides the ransomware, infrastructure, and tools and takes between 15% and 20% of any ransoms that are paid. Most of the attacks conducted by the group have seen ransom demands issued of between $50,000 and $800,000, but as the attack on Synnovis shows, the demands can be considerably higher.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Qilin has been increasing its attacks, with at least 60 attacks conducted so far this year. The affiliates primarily target Windows machines, but in December 2023 the group started using a Linux version on VMware ESXi servers. Initial access is most commonly gained through phishing and spear phishing emails, although the group also leverages exposed applications and interfaces such as Citrix and remote desktop protocol (RDP). One of the members of the group claims to have exploited a zero-day vulnerability in the attack on Synnovis but did not state which vulnerability was exploited.
Once access has been gained, the group uses Remote Monitoring and Management (RMM) tools, and Cobalt Strike to deploy the ransomware binary. Agenda ransomware can propagate using PsExec and SecureShell, and different vulnerable SYS drivers are used for defense evasion. The Health Sector Cybersecurity Coordination Center (HC3) has shared indicators of compromise, MITRE ATT&CK Tactics & Techniques, and recommended mitigations in its Qilin Threat Profile, a copy of which is available on the American Hospital Association website.
