Once more, we are in the midst of a cyber ransomware attack. Today's target is Synnovis, an NHS blood testing provider that collaborates with several NHS Foundation Trusts, including Guy's and St. Thomas' and King's College Hospital NHS Foundation Trust. This is a classic example of the supply chain risk that is often talked about as a key threat to many businesses; whilst the attackers targeted an NHS provider, and not the hospitals themselves, the impact was very much felt within the hospitals with cancelled appointments and an inability to function in a “normal” manner.
TimeLine
3/06/2024: The hacking of hospitals in London was first made public. Pathology service provider Synnovis announced that all its IT systems were malfunctioning. This meant that information sharing, and blood testing could not be done using typical computerised systems..
14/06/2024: The BBC reported that “More than 800 planned operations and 700 outpatient appointments were rearranged in the first week after a cyber-attack hit London hospitals” #1
19/06/2024: A blogpost on the Qilin Ransomware group's Tor hidden services was published.
Figure 1 - Qilin blogpost
Users could retrieve the data that was taken from Synnovis by clicking on the link sent to their Telegram channel.
Figure 2 - Qilin Telegram Channel
There were roughly 410GB of stolen data, separated in 104 total archives weighing about 4GB each. This suggests that instead of coming from a single hacked machine, the data may have come from an internal file share.
Between the 3rd and 19th of June, the attackers were probably in direct contact with Synnovis to solicit the ransom payment.
Qilin Ransomware Group Profile and Motivation:
Figure 3 - Qilin Ransomware Group Logo
Like most of other ransomware groups, their primary motivation is financial in nature, as they aim to maximize profits by taking advantage of weaknesses in high-value targets. They show off their technical prowess by using sophisticated malware written in the Rust and Go languages. From a technical analysis conducted back in 2023, they seem to be associated with Russia, or at least they have Russian-speaking members. Their actions serve as a reminder of the growing threat posed by ransomware attacks and the necessity of effective cybersecurity defences.
It is indeed unusual for ransomware gangs to target healthcare providers. In an interview with the BBC, Qilin declared “we are ‘sorry’ for all the harm caused but are we’re ‘not to blame’” #2
What happens before, during and after a ransomware attack?
To simplify for non-technical readers, there are 4 main stages carried out during a ransomware attack:
Attacker’s lateral movement
Let’s start by considering that an attacker is already inside the company’s network. This could have happened via several methods, such as phishing or by exploiting vulnerabilities in the externally facing systems belonging to the company.
The main goal of an attacker is to gain as much privileges as possible and to map the internal networks to move laterally and infect/block vital systems for the company (e.g. an SMB share, or a production database).
Exfiltration and activation of the Crypto locker
Once sensitive data has been identified, the attacker will first initiate a transfer to a server they control (or that they previously hacked). Once higher privileges are attained, the attacker will launch something called ‘crypto locker’, which is a malware that will “convert” all files within the system(s) into something un-readable – encrypted. The only way to retrieve the original content of the files, is to use a ‘decryptor’, which contains the correct keys to revert the change to its original state.
Deal with ransom
At this stage the company will be aware of the attack because systems will stop responding, and the crypto locker would have left a ransom letter, which contains all information to get in touch with the attackers to get the ransom paid.
It’s usually up to the criminal group to dictate a deadline to the company, often threating that all their personal data will be published online if the ransom is not paid in time. The negotiation between the company and the criminal might delay the publication of the data.
I can’t stress enough that ransom should never be paid by the company.
Publishing of the data
Last stage will be publication of the company’s data in the group’s website or uploaded in other platforms to facilitate its download.
A good company should by then have put in place a public press release, and contacted all affected customers, explaining what data was impacted and what they did to prevent additional attacks to happen again.
Data Breach – A Gold Pot for Bad Hackers
Since it is against the law in the UK to download data released by ransomware organizations, we are unable to determine exactly what kind of material has been made public. However, we can only take into account a few categories of data:
Source Code
Any software or application starts with its source code. If the targeted organization has developed its own program and depends on it for business activities, this may open the door for attackers to find new vulnerabilities, produce fake software, or interfere with the functionality of the software. If rivals manage to obtain access to private features or algorithms, it can potentially result in a loss of competitive advantage.
An application's (or website's) source code will also include additional login information needed to communicate with external systems (such a database or cloud secret keys). Data saved in the database will also be at risk if credentials are compromised and it can be accessed from a nearby place or the Internet.
Database
Databases are capable of storing a large amount of data, such as transaction records, product details, user information, and more. Financial fraud, targeted phishing attempts, and identity theft are all possible with the usage of personal data. Private company information may be used by rivals or seriously harm a company's reputation. Alternatively, the Ashley Madison hack suggests that user data might be used for blackmail (given the type of business they run).
Financial Data
Budgets, projections, financial statements, and records of financial transactions are all considered forms of financial data. It contains private data on the state of a business's finances, such as income, costs, earnings, losses, and financial projections. Financial information that is made public online may be exploited for corporate espionage, insider trading, or market manipulation. If the information indicates financial instability, it can also result in a decline in investor confidence. The overall financial markets may be impacted by this as well.
Client List
Holding a list of the clients the company works with is a frequent practice. Typically, it contains client preferences, purchase history, contact information, and names. A customer list that is made public online may be exploited for identity theft, phishing schemes, or unapproved marketing. Additionally, it can harm the business's reputation and cause its clients to lose faith in it.
Private Communications
We live in a digital era, and between emails, Teams, Slack, WhatsApp, we all have left a footprint somewhere in a remote server. Private communications can include personal considerations about other employees that can be potentially used against the original sender to blackmail them. Leaks of private communications can also highlight problems or situation that were swept under the rug, and therefore re-emerge.
Lessons Learnt and Key Takeaways
In conclusion, businesses are not helpless against the mounting threat posed by ransomware, either directly or through their supply chain which disrupts their normal business operations. Businesses can, however, drastically lower their risk and make sure they're prepared to respond successfully in the event of an attack by adopting proactive measures in planning, detection, response, and recovery.
Implementing strong security measures, backing up data, and providing frequent personnel training are all part of preparation. Early detection is crucial, and incident response plans and monitoring systems can help with that. In the event of an assault, rapid action can assist minimize damage, and a well-thought-out recovery plan can hasten the return of operations to normal.
Moreover, having assurances over the security of your supply chain is becoming more and more important in the current landscape, particularly for those suppliers which critical to normal business operations. Organisations can gain this assurance by ensuring their suppliers have security in-mind and are able to evidence technical and procedural controls are implemented and in-place.
Keep in mind, within the digital age, cybersecurity isn't an extravagance, but a need. By understanding the dangers and taking suitable measures, companies can secure their important information and maintain the trust of their clients. Stay safe, stay prepared, and let’s create a more secure digital world together.
Bibliography
[1] Don't blame us for people suffering - London hospital hackers