How cyber hacking gangs steamroll global health care into ransom shakedowns

For months John Kjorstad and his family had been preparing for his son's cancer operation, but the day before Dylan was due to go into hospital he got a phone call to tell him it had been cancelled.

The polite voice on the end of the line explained that there had been an "IT pathology issue," but later that afternoon Mr Kjorstad began to see news stories about hackers attacking hospital blood testing services.

"I was like 'oh my God that's what it is, and I was just sitting there trying to process it," Mr Kjorstad told The National.

Dylan was due to be operated on to remove a tumour on his ribs in London's Royal Brompton Hospital after being diagnosed with Ewing sarcoma, a type of bone cancer, in January.

But the hospital was unable to secure the blood needed as a result of the ransomware attack on Synnovis, a company that provides pathology services to the UK's National Health Service in London.

Responsibility for the attack was claimed by a Russian-speaking group calling themselves Qilin. Around 10,000 appointments and 1,700 operations were postponed as a result.

The hackers used malware to encrypt vital information and render Synnovis's IT systems useless, then downloaded sensitive patient data. The gang demanded $50 million to end the attack.

"The worst part of it is that it's literally an attack on the most vulnerable people in a society," said Mr Kjorstad, a US national now living in Britain.

"I don't think they care whether it's children or whether it's elderly."

He says that Dylan wasn't upset, although "it confused him - why would somebody attack something that would stop me from having my surgery?".

Their activities are part of a spike in ransomware attacks on health care organisations, as criminals increasingly turn to stealing large quantities of patient data as a means of making money.

Qilin targeted Synnovis, which provides pathology services for two NHS trusts in London, King’s College Hospital and Guy’s and St Thomas’.

Three weeks after the initial attack, Qilin dumped 400GB of private information on their darknet site after failing to receive any ransom payment.

Synnovis, a joint venture between the NHS trusts and Synlab, a Munich-based company, has rebuilt its core IT systems and some testing services for GPs in south London can resume, says the NHS.

But the attack highlights how health care systems are increasingly coming under attack from ruthless gangs, who know all too well the leverage they hold over organisations in the sector, for whom it’s a matter of life and death.

Such is their increasing ruthlessness that John Riggi, American Hospital Association’s national adviser for cyber security and risk, and a former senior FBI counter-terrorism leader, told The National there is a case that “these acts be classified as a form of terrorism”.

Synnovis are in the process of seeking an injunction in London's High Court in a bid to stop Qilin releasing more patient data. A judge has granted them a private hearing.

The company also intends to serve the order on Telegram, which was used by the hackers to release data, and a website called Wikileaksv2, where a statement from them was published.

Who are Qilin?

Qilin operates what’s known as Ransomware as a Service (Raas) and is believed to have been in business since 2022.

According to the US Department of Health and Human Services (HHS), Qilin is known to target organisations in various countries and industries, including education and manufacturing, as well as health care.

Attacks have occurred in Australia, Canada, the UK, and the US, among others.

In the US, Qilin has attacked dental clinics, a health care communications company, an emergency medicine specialist, a radiology company, a home health care provider, a neurology centre, and a cardiovascular medicine clinic, says HHS.

Under the Raas model, which is compared to a franchise, hackers rent the tools and infrastructure needed to carry out attacks from the operator.

In turn these affiliates return a percentage of any ransom they’ve been paid. In the case of Qilin, that's believed to be around 10 per cent.

There may be support, such as portals that allow subscribers to see, for example, the number of files encrypted and could also include round-the-clock support.

They also often negotiate with victims via a chat function on their site on the darkweb.

Many of these affiliates may work for different ransomware brands, such as LockBit and BlackCat, as well as Qilin, says John Shier, from cyber security firm Sophos.

“Some of them do require some kind of vetting prior - work experience with maybe some of the principals behind the brand,” he explained.

“Others are very much that you buy your way in if you've got the money. Some groups have been a bit more closed off, and they've just dealt more on relationships.”

Don Smith, vice-president for threat research at the Secureworks cyber security firm, said of Qilin “the kernel of it is a few people who've been in this business for a while”.

Mr Smith, who is part of the Strategic Cyber Industry Group in the National Cybercrime Unit at the UK National Crime Agency, and a member of the UK National Cyber Advisory Board, said data posted on Qilin’s website showing the number of victims reveals a substantial increase in activity this year.

He said it’s his “hunch” that an increase in Qilin’s activity coincided with the law enforcement action against the LockBit and Blackcat groups earlier this year.

“They may have been part of previous groups that have disbanded, that it's taken them a while to get themselves sorted,” he said.

LockBit were described as "the world’s most harmful cyber crime group" by NCA, and in May revealed its leader to be Russian national Dmitry Khoroshev, who has been placed under sanctions by the UK, the US and Australia.

Unhealthy interest

Qilin’s attack on Synnovis is part of a pattern that has resulted in health care increasingly become a target for ransomware attacks.

The sheer volume and sensitivity of the data held by these organisations, along with the greatly expanded digitisation in the sector, including interconnected medical devices, have provided an incentive and opportunity for the hackers.

Data provided by the Recorded Future threat intelligence company reveals how, since 2021, ransomware attacks have increased from 35 organisations a year to 350 in 2023, with around half taking place in the US.

In 2021 there were no ransomware attacks in the UK, but that increased to three then four in 2022 and 2023. So far this year there have been seven attacks, say Recorded Future.

The average cost per health care provider is $10.93 million, according to the Arctic Wolf cyber security firm.

Organisations are understandably reticent to admit to paying ransoms, but it emerged that Change Healthcare, which processes billing payments, paid $22 million to get back data stolen by hackers.

It has been estimated that $1.1 billion was paid in ransomware in 2023, with 74 per cent going to Russian-linked hackers, according to Chainalysis.

Saira Ghafur, lead for digital health at the Institute of Global Health Innovation at Imperial College, London, and an NHS consultant, said for hackers there’s the “chaos that you can create” by going after health care.

“If there's a cyber attack on a bank they can shut things down and it's not going to really impact other than people losing money,” she said.

“But if you're attacking a healthcare system then we’ve seen appointments, operations, scans that are cancelled.

“People don't know what's going on and care is delayed. There’s so many potential repercussions of a cyber attack on health care and it creates such chaos.”

But with hospitals themselves investing in cyber security, criminals are increasingly turning their attention to suppliers.

A Synlab subsidiary in Italy was hacked earlier this year, and one in France in 2023.

Switzerland-based plasma donation company Octapharma was forced to shut 180 centres around the world after it was hit by a ransomware attack.

In the UK, NHS IT services provider Advanced has been fined $7.6 million for failing to protect patient data after it was hit by a ransomware attack in 2022.

Doctors, nurses and other staff were forced to resort to pen and paper to complete their jobs during the attack.

Don Smith said the fragmented nature of the NHS, and other health care systems, which are made up of hundreds of different organisations of varying size makes cyber security harder.

He said there was a “very good reason” why health care has become a target for ransomware attacks, as banks invest in protecting themselves.

“Yes they’re subject to lots of compliance regimes, they're subject to lots of regulatory scrutiny, and they spend a lot on cyber security.

“In hospitals, if you have a pound in front of you and you're a hospital administrator, you need to make the hard decision – are you going to spend that on front line care or you going to spend that on cyber security.”

The creaking and outdated IT systems used by the UK’s NHS have also been highlighted as a reason for its vulnerability to hackers.

A British Medical Association report revealed that clinicians were wasting more than 13 million hours every year thanks to delays arising from “inadequate or malfunctioning” systems and equipment, the equivalent of 8,000 full-time doctors, or £1bn.

“We've got lots of legacy infrastructure and we're not spending as much as other critical sectors on cyber security,” said Dr Ghafur.

But she said, when it comes to recruitment the NHS is "competing with the private sector which can offer salaries that our health service cannot afford".

Guy’s and St Thomas’ NHS Foundation Trust told The National is has a formal policy to ensure that third-party suppliers maintain acceptable levels and these arrangements are reviewed regularly.

“The Trust takes cyber security very seriously, and this includes arrangements with third parties. We are working closely with partners to fully understand how this attack happened.”

Synnovis have been approached for comment.

At the sharp end

It usually takes just a “few minutes” for Ed Dubrovsky to get the measure of the hackers he negotiates with on behalf of clients being held to ransom.

Some may have detailed knowledge of an organisation and how much it can afford to pay, while others are “less intelligent individuals” whose demands can be driven down, the cyber security veteran told The National.

Mr Dubrovsky deals with ransomware groups who hack into IT systems and encrypt data, then demand payment for it to be released and threaten to leak it if their demands are not met.

He has dealt with Qilin in the past and has worked on behalf of a hospital in the past, although he says he has no knowledge of the attack on Synnovis.

He says when it comes to attacks on healthcare organisations, hackers try to play on the knowledge that the outcome of the bargaining has real life consequences.

“In cyber security, there is certain laws that are being taught and the first, and most important is that human life basically surpasses all everything else,” said Mr Dubrovsky, chief operating officer at Cypfer cyber security.

“Usually when you're negotiating on a behalf of a hospital, number one it means that they're in dire straits.

“Number two means time is not your friend so we have to negotiate fairly quickly. That means there is urgency here. So they will be much harder to negotiate with.

“You could then also have them claiming that you are being you're slowing things down by not paying, and because of that, you are responsible for killing people.”

For those on the receiving end, the first indication that a ransomware attack has taken place typically comes in the form of notes left on systems describing the method for the victim to contact the criminals.

While every situation is different, the organisation is asked to shut down its digital assets so that they can be analysed to make sure more damage isn’t done and criminals don’t have back door access.

“There is no 1-800 number that you call and you get a pleasant lady answering the phone and telling you how much she wants in order to recover the systems," he said.

“But typically, what we see is either these days, the prevalent methods to communicate would be over a chat on a website.”

A login and a password is given to allow the victim to log into the chat page, along with details of a Bitcoin wallet for the ransom payment.

After those first key minutes have passed, a game of cat and mouse begins, as each side begins to establish what the other knows.

Mr Dubrovsky explains that often the criminals will look or search for financial information about the company and whether it has cyber insurance.

Those details are used by them to come up with an initial demand but negotiators will lie and say, for example, that the money is sitting in an organisation's account and is in fact owed to a third party.

Often, if there’s a dispute, a negotiator will call their opponent’s bluff by telling them to call the bank.

“My job is very quickly to figure out what is the real number that this threat actor believes this company can pay and really shake them down to cause them to re-evaluate their position,” Mr Dubrovsky said.

Qilin’s typical ransom demand was between $50,000 and $800,000 in 2023, says US Department of Health and Human Services.

A representative of the group told Bloomberg it was demanding $50 million from Synnovis in exchange for the code to unlock affected computers.

Mr Dubrovsky said it’s often the case that the affiliates begin to take over negotiations by suggesting they move to an email and begin to inflate their demands.

During negotiations the hackers will often offer trial decryption to prove that their decryptor will work OK.

All the while, says Mr Dubrovsky, in the chat “there’s a timer with a discounted amount and if the timer expires, the higher amount that they will demand”.

Nick Shah, a former investigator with the UK’s National Crime Agency who now works as a ransomware negotiator, said criminals often bluff about what data they have in their possession.

“My role really is to engage with threat actors, to gain more intelligence, more information, assess the situation.

“Because the client can only really make a valued risk assessment and judgment on decisions once they know more information or have more information.”

Mr Shah said he has negotiated on behalf of a medical industry client, which resulted in a ransom being paid.

“Only because the risk was very high,” he said.

Pushing boundaries

For Mr Riggi, the concern is that criminals are becoming ever bolder, and the number of attacks is heading in an upwards trajectory.

“I have seen a very significant increase in the frequency and severity of ransomware attacks, that have had a significant impact across the entire healthcare sector,” he said.

Mr Riggi, the former FBI agent, said an indication of “how despicable” the criminals have become is manifested by the attack at the start of this year on the Lurie Children’s Hospital.

Hackers accessed the Chicago-based organisation’s systems, which resulted in it taking down electronic systems, with some appointments and elective surgeries postponed.

“You can’t immediately transfer paediatric patients to other hospitals because they may not be equipped to deal with them.

“So, not only is an attack on innocent children, but it creates even a dire risk to safety.”

Mr Riggi said in early days of ransomware the groups “were more negotiable on the amounts and the demands were lower”.

“But when they realised that people's lives are in danger and the victims are more likely to pay, they started to increase the size of the attacks,” he said.

Because of the pressure of patient safety “victims are under enormous pressure to restore systems, and unfortunately that may mean payment of ransom to get the decryption key back”.

“When a healthcare or any ransomware victim pays a ransom, and I've been in the room, when the discussion and debate are continuing, the decision to pay is fundamentally focused on preserving patient safety,” he said,

He is increasingly concerned as hospitals beef up their security, the hackers are turning to suppliers.

“The bad guys have shifted to mission critical third parties – our supply chain, our technology providers, our mission critical service providers," Mr Riggi said.

“They're continuing to push the boundaries.”

Don Smith believes the criminals maybe more opportunistic and will stumble across a healthcare organisation’s vulnerabilities rather than specifically seeking them out in the first instance.

“I just don't think of this as being a super in the detail, tactically controlled set of organisations that are conducting these ransomware attacks,” he said.

“I see this as a steamroller of organised criminal gangs who are trying to make as much money as possible.”

Dylan Kjorstad eventually had his operation a month after it was postponed and has been undergoing intensive treatment at the Macmillan Cancer Centre at University College London.

"We're probably one of the lucky ones," said his dad.

"I think because of the seriousness of his diagnosis and the young age that he is, he's always been given the highest priority and received, the best care that the NHS could offer."

In the meantime, Mr Kjorstad says the NHS appears to be making more of an effort to raise awareness of cyber security.

"I was in the Brompton [hospital] with Dylan after his surgery and all of their computer screens had messages reminding people how to be cyber safe. I thought that was rather amusing."