UK and US cops band together to tackle Qilin's ransomware shakedowns

Attacking the NHS is a very bad move

UK and US cops have reportedly joined forces to find and fight Qilin, the ransomware gang wreaking havoc on the global healthcare industry.

In early June, the notorious Russia-based crew attacked Synnovis, which provides pathology services to National Health Service's London hospitals. The digital intrusion has led to the cancellation or postponement of surgeries for thousands of patients.

Adding insult to injury, the ransomware scum began leaking a trove of stolen patient data on Friday. A spokesperson told The Register they have no regrets about crippling hospitals.

On Monday, NHS England said it was working with Synnovis and the UK's National Crime Agency (NCA) to respond to the ransomware infection.

While Synnovis has determined that the leaked data was stolen from its systems, "at present, Synnovis has confirmed there is no evidence the cybercriminals have published a copy of the database (Laboratory Information Management System) where patient test requests and results are stored, although their investigations are ongoing," according to the NHS England update.

Qilin, however, operates worldwide and in April claimed to have swiped more than 70 GB of data belonging to more than half a million US radiology patients.

However, as other ransomware gangs have learned, going after these critical organizations puts an even bigger target on the extortionists' backs. 

Qilin reportedly demanded a $50 million (£39 million) ransom, which was not paid, then published millions of patients' records on a dark web market for stolen information.

Over the weekend reports began emerging that the UK National Crime Agency (NCA) was working to remove the leaked patient data and use it to help track down the criminals. While Qilin is believed to have the Kremlin's approval, either explicitly or implicitly, to run its cybercrime operation from Russia, the ransomware-as-a-service affiliates could be located anywhere in the world.

Paul Foster, a director at the NCA who leads its cybercrime unit, told The Register

This is a significant incident both in impact on the NHS and patients, but also with regard to the nature and scope of data that may be affected. We are aware data has been published and we are working closely with the National Cyber Security Centre (NCSC), NHS England, and our international law enforcement partners to progress our investigation and support the incident response.

According to the publication, the FBI is one of these international partners because Qilin has previously broken into and extorted several American healthcare companies and medical facilities.

Earlier this month, the US Department of Health and Human Services issued a warning about Qilin, saying it had identified at least 15 infections involving the gang's ransomware in the healthcare and public health sector worldwide since October 2022. About half of these were targeting American organizations in Indiana, Florida, Ohio, Georgia, Minnesota, Nevada, and Arizona.

"These US HPH victim organizations include dental clinics, a healthcare communications company, an emergency medicine specialist, a radiology company, a home healthcare provider, a neurology center, and a cardiovascular medicine clinic," according to the advisory [PDF].

Neither the FBI nor NCA immediately responded to The Register's questions, including whether they were collaborating on law enforcement action against Qilin and its members. The NCSC referred us to NCA for comment.

"It wouldn't be at all surprising if law enforcement were now to give extra attention on Qilin – in fact, it would be more surprising if they didn't," Brett Callow, threat analyst at Emsisoft, told The Register.

According to Emsisoft, 15 health systems with a total of 198 hospitals in the US alone have been hit by ransomware attacks this year, and that doesn't include Change Healthcare or other supply chain incidents.

"While disruptions are certainly extremely useful, they're not a standalone solution to the ransomware problem, and we really need to see new policy mechanisms put in place, especially in relation to better protecting the hospitals and their supply chains," Callow added. ®

More about


Send us news

Other stories you might like