Spear Phishing

Qilin and Synnovis, the two entities involved in the recent ransomware attack that has disabled laboratory services at London hospitals, are very different in many ways but nevertheless have a common purpose: using tech to extract money from healthcare organisations.

A standard business model in IT is to offer Software as a Service or SaaS. Instead of customers buying a copy of a program to run on their own machines, software is hosted on the cloud, customers pay a subscription and access it remotely as and when they need it. A niche market within the SaaS model is RaaS or Ransomware as a Service. Entities such as Revil, Conti and Qilin host platforms on the dark web which enable their subscribers (known as ‘affiliates’) to carry out ransomware attacks on corporations.

In May last year the security company Group-IB shared details of Qilin’s RaaS platform. The user interface has a section for blogposts and answers to Frequently Asked Questions. There’s information about previous attacks and a control panel for the ‘builder’, the tool that affiliates use to configure their attack. As well as details of the ransom amount, waiting period, content of the ransom note and so on, they can specify which directories and files are to be exfiltrated or encrypted and which should be skipped, the processes and services to be stopped, mode of encryption and, crucially, the login details of victims’ accounts. There’s a section of the platform where teams of affiliates can co-ordinate their activities, specifying for example who can access the ‘chats’ with the victims.

The revenue-sharing arrangements are straightforward: affiliates earn 80 per cent of the ransom for attacks under $3 million, and 85 per cent for anything bigger. In return for their 15 or 20 per cent cut, Qilin also provide a DLS (Dedicated Leak Site) on which victims’ confidential data can be published if they refuse to pay.

Qilin-supported ransomware attacks typically gain access through phishing emails in which users are duped into clicking on links that download compromised versions of operating system components known as drivers. Security specialists call this BYOVD, or Bring Your Own Vulnerable Driver. The phishing attacks that most of us are familiar with send huge volumes of emails, which require only a tiny proportion of recipients to be fooled to get a return (a lot of marketing works in the same way). The Qilin approach, known as spear phishing, is more targeted and the emails are carefully crafted to look plausible to the intended recipient.

The RaaS model has significantly lowered the entry bar for ransomware attacks. Tool development can be sustained, and the operations are, to use the business term, scalable. A Windows version of the platform was launched in 2022 and enhanced in December to allow attacks on a wider range of operating systems and architectures. Qilin recruits affiliates via a Russian-speaking forum known as Ransom Anon Market Place and specifies that countries in the Commonwealth of Independent States (most of the former Soviet Union) are not acceptable targets.

Healthcare organisations are a common target for ransomware attacks. They typically rely on a complex mix of computer systems which are often poorly maintained, while both continuity of provision and confidentiality of data are paramount. The THREAT database (Tracking Healthcare Ransomware Events and Traits) recorded 374 ransomware attacks on US healthcare organisations between January 2016 and December 2021. The most high profile attack in the UK, the 2017 WannaCry attack, led to a 6 per cent reduction in admissions across 34 NHS trusts while their computer systems were affected.

A 2006 review of the UK’s pathology services estimated that 70 to 80 per cent of all healthcare decisions were informed by laboratory tests. The same review noted that provision across the UK was somewhat chaotic, with considerable variation in costs, and argued that testing should be consolidated, with a smaller number of laboratories each supporting a wider network of hospitals. Guy’s and St Thomas’ NHS Foundation Trust responded to the review by partnering with Serco, the outsourcing specialist, to create a private company to compete in this new market. The company subsequently merged with a similar initiative from King’s and became Viapath, suppling pathology services to the ten hospitals operated by the two trusts.

An article in the Independent in 2014 found that Viapath, then 51 per cent owned by Serco, had been overcharging its clients – i.e. the two trusts that owned 49 per cent of the company – to the tune of several million. In 2019 the trusts decided to dispense with its services and awarded a fifteen-year, £2.2 billion contract to a German competitor, SynnLab. Serco exercised an option to withdraw from the collaboration and, in a move that foreshadows Qilin’s ransom demands, the trusts were obliged to pay Serco £15 million in order to retain access to the company’s IT systems and ensure continuity of care. Viapath was relaunched as Synnovis in 2022, with SynnLab replacing Serco as the majority shareholder, but with the two trusts retaining their shares.

It's not yet clear what the financial fallout from the latest attack will be. Looking for published information about Qilin over the last few days I’ve come across several briefings from security consultants advising on the measures that need to be taken to protect against such attacks or to mitigate their effects. It will be interesting to see what emerges about what wasn’t being done at Synnovis. Confidential data on 300 million patient episodes has now been published on the Qilin DLS, so it seems unlikely that the ransom will be paid. Perhaps Qilin, or their affiliates, are less adept than Serco at judging how much money can be squeezed out of the NHS.

Since the attack, NHS Blood and Transplant have been sending me urgent requests to give blood. My blood is O negative and can be given to anyone, so is, for the moment, the only type of blood that can be used in hospitals that are unable to order blood tests or receive results. I’m happy to do my bit to help the NHS and I’m glad that Qilin’s ransom isn’t being paid. I only hope that the story doesn’t end with SynnLab keeping as profit money that should have been spent on keeping the service secure.