A Russian-speaking ransomware criminal gang called Qilin is thought to be behind the cyber-attack on NHS medical services provider Synnovis, that halted tests and operations at hospital trusts to a halt and affected GPs across London.
Although the location of the group is unknown, if it is based in Russia, it will be difficult for British law enforcement to directly target it. The Russian state has long had a ban on extraditing criminals overseas, and since it launched a full-scale invasion of Ukraine, it has largely ended all cooperation on cybersecurity matters so long as the hackers focus their attacks on foreign targets.
Qilin has been active since October 2022, when it launched its first wave of attacks on companies including the French company Robert Bernard and Australian IT consultancy Dialog. It operates a “ransomware as a service” approach, letting independent hackers use its tools and infrastructure in exchange for a 15 to 20% cut of the proceeds.
The group was behind a previous attack on the publisher of the Big Issue in March this year, when it trashed the group’s systems before stealing and publishing confidential data. More than 500GB of information taken from the publisher was posted on the dark web after it refused to pay the ransom, including passport scans of employees and payroll information.
The group has steadily increased its activity over the past year, claiming responsibility for more than 50 hacks in the past four months. According to cybersecurity experts Secureworks, “its attacks tend to be opportunistic rather than targeted and so good security hygiene is the best defence against Qilin and other similar groups”.
“In total, there have been 112 organisations posted to their site, and although information technology companies lead the way in terms of impacted industries, they have attacked organisations across a wide range of sectors,” a Secureworks spokesperson added.
In 2023, Qilin’s typical ransom demand was anything from $50,000 to $800,000, according to Group-IB, a cybersecurity firm which infiltrated the group that year. It generally gains its initial foothold in its victims’ networks through spear phishing, targeted messages to insiders to convince them to share credentials or install malware.