Ransomware Attacks Target NHS and American Associated Pharmacies

Qilin Ransomware Attack on NHS Supplier

The Qilin ransomware gang has released nearly 400GB of sensitive healthcare data online after a significant cyberattack on Synnovis, a pathology laboratory that processes blood tests for NHS organizations in London. The incident, detected on June 3, disrupted several NHS trusts and GP surgeries, leading to blood stock shortages, delays in medical procedures, and appointment cancellations.

On June 21, NHS England confirmed that Qilin had published vast amounts of Synnovis's stolen data online. The agency is collaborating with Synnovis and the National Cyber Security Centre (NCSC) to assess the data's contents. The published files reportedly include patient names, dates of birth, NHS numbers, and descriptions of blood tests, although the inclusion of test results remains uncertain. Additionally, business account spreadsheets detailing hospital and GP service arrangements with Synnovis were also uploaded.

A spokesperson for Synnovis stated, “We know how worrying this development may be for many people. We are taking it very seriously and an analysis of this data is already underway.” The NCSC is involved in validating whether the data originated from Synnovis’s systems.

The Qilin gang has a history of extortion, previously indicating their intent to publish private information unless a ransom was paid. According to the BBC, it is estimated that the group has conducted eight confirmed attacks in 2023 alone. They utilize a ransomware-as-a-service model, employing double extortion tactics that combine data encryption with threats of data publication. The gang predominantly spreads its malware through phishing emails, but has also exploited exposed applications and interfaces, including remote desktop protocols.

Ransomware Attack on American Associated Pharmacies

American Associated Pharmacies (AAP) has been targeted by a ransomware attack conducted by a group known as Embargo. The hackers claim to have stolen over 1.4 terabytes of data, encrypting files and demanding $1.3 million for decryption. Reports from The Register indicate that AAP paid the initial ransom but is now facing an additional demand for another $1.3 million to ensure the stolen data remains private.

AAP has not publicly acknowledged the ransomware incident, but posted an “Important Notice” on its website, indicating that limited ordering capabilities have been restored for API Warehouse, a subsidiary that manages over 2,000 independent pharmacies in the U.S. The notice also stated that all user passwords for its sites were reset.

Mike Hamilton, founder and CISO of Critical Insight, commented on the situation, stating, “Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic.” The attack has raised alarms about the vulnerability of healthcare organizations, with 80% of medical records consisting of clinical laboratory testing data, making patients particularly susceptible to breaches.

ESET, an internet security company, first identified the Embargo group in June. Their toolkit is designed to disable security solutions, allowing them to exfiltrate sensitive data effectively. Embargo has also been linked to recent attacks on Memorial Hospital and Manor in Georgia, which forced a transition to a paper-based system due to compromised email and electronic medical record systems.

Healthcare entities are urged to reconsider their cybersecurity measures, as the threat landscape continues to evolve with more sophisticated attacks.

By staying informed and implementing robust security protocols, organizations can better protect themselves from similar cyber threats, ensuring the safety and privacy of their patients' information.