In 2024, **Synnovis**, a UK-based healthcare pathology service provider, fell victim to a **Qilin ransomware attack**, severely disrupting NHS blood transfusion and diagnostic services across London. The breach exploited unpatched VPN vulnerabilities and lack of MFA, leading to **data theft and system encryption**. Patient test results, blood matching, and critical lab operations were delayed or halted, forcing hospitals to declare **major incidents** and divert emergency cases. The attack exposed sensitive medical records, including those of **Ballarat personalities, doctors, and police officers**, while crippling core healthcare infrastructure. Qilin affiliates threatened to leak stolen data on dark-web platforms if ransom demands were unmet. The incident not only endangered patient lives by delaying surgeries and treatments (e.g., cancer care) but also **threatened the organization’s operational existence**, with prolonged outages and reputational damage. The collaboration between Qilin and groups like Scattered Spider further complicated attribution and recovery, underscoring the escalating sophistication of RaaS-driven cybercrime in critical sectors.
Source: https://www.infosecurity-magazine.com/news/qilin-ransomware-activity-surges/
Viapath cybersecurity rating report: https://www.rankiteo.com/company/viapath-llp
"id": "via1292112111125",
"linkid": "viapath-llp",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['construction',
'healthcare',
'financial services'],
'size': 'small-to-medium',
'type': ['small-to-medium-sized businesses (SMBs)']},
{'industry': 'healthcare',
'location': 'United Kingdom',
'name': 'Synnovis',
'type': 'healthcare provider'}],
'attack_vector': ['unpatched VPN appliances',
'lack of multi-factor authentication (MFA)',
'exposed management interfaces',
'single-factor remote access tools'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_publicly_disclosed': '2025-01-01T00:00:00Z',
'description': 'Cybersecurity researchers at S-RM have observed a rise in '
'ransomware incidents linked to the Qilin ransomware group, a '
'long-running ransomware-as-a-service (RaaS) operation. The '
'group exploits unpatched VPN appliances, lack of multi-factor '
'authentication (MFA), and exposed management interfaces to '
'gain initial access. While high-profile breaches like the '
'2024 Synnovis attack on UK healthcare systems have drawn '
'attention, most victims are small-to-medium-sized businesses '
'(SMBs) in construction, healthcare, and financial sectors. '
'Qilin operates as a RaaS since 2023, with affiliates '
'(including Scattered Spider) deploying its tools. In 2025, '
'88% of Qilin cases involved both data theft and file '
'encryption, with victim data published on dark-web leak sites '
'if ransoms were unpaid. The group has also expanded extortion '
'channels to include Telegram and platforms like WikiLeaksV2.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': True},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': ['unpatched VPN appliances',
'single-factor remote access tools',
'exposed management interfaces'],
'high_value_targets': ['SMBs in construction, '
'healthcare, financial '
'sectors']},
'investigation_status': 'ongoing (S-RM research)',
'lessons_learned': ["Qilin operates as a professionalized RaaS 'tech "
"business' with profit-sharing affiliates, increasing "
'attribution complexity.',
'Basic security gaps (e.g., unpatched VPNs, lack of MFA) '
'remain primary attack vectors.',
'Collaboration among cybercrime groups (e.g., Scattered '
'Spider deploying Qilin) amplifies threat sophistication.',
'Expansion of extortion channels (e.g., Telegram, '
'dark-web leak sites) increases pressure on victims.'],
'motivation': ['financial gain',
'profit-sharing with affiliates',
'data exfiltration for extortion'],
'post_incident_analysis': {'corrective_actions': ['Enhanced patch management '
'for VPNs/remote access '
'tools',
'Mandatory MFA '
'implementation',
'Reduction of exposed '
'attack surfaces (e.g., '
'management interfaces)',
'Network segmentation and '
'proactive intrusion '
'monitoring'],
'root_causes': ['Unpatched vulnerabilities in '
'VPN/remote access devices',
'Lack of multi-factor '
'authentication (MFA)',
'Exposed administrative interfaces',
'Collaboration between cybercrime '
'groups (e.g., Scattered Spider '
'using Qilin RaaS)']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Qilin'},
'recommendations': ['Regularly patch and update VPNs and remote access '
'devices.',
'Enforce multi-factor authentication (MFA) for all '
'accounts.',
'Limit or eliminate exposed management interfaces.',
'Implement network segmentation to isolate critical '
'systems.',
'Deploy proactive monitoring for lateral movement and '
'intrusion signs.',
'Treat ransomware groups as structured businesses, not '
'just hackers, and adapt defenses accordingly.'],
'references': [{'date_accessed': '2025-01-01',
'source': 'S-RM Intelligence Advisory'},
{'date_accessed': '2025-01-01',
'source': 'Tech Business Insights on Qilin RaaS (Ted Cowell, '
'S-RM)'},
{'source': 'Ransomware-as-a-Service Trends: AI Chatbot '
'Extortion'}],
'response': {'enhanced_monitoring': True,
'network_segmentation': True,
'remediation_measures': ['regularly patch and update VPNs and '
'remote access devices',
'apply MFA to all accounts',
'limit or remove exposed management '
'interfaces',
'segment networks to isolate critical '
'systems',
'monitor proactively for lateral '
'movement or signs of intrusion']},
'stakeholder_advisories': ['S-RM advisory on Qilin RaaS trends (published '
'2025-01-01)'],
'threat_actor': ['Qilin ransomware group', 'Scattered Spider (affiliate)'],
'title': 'Rise in Qilin Ransomware Incidents Targeting SMBs in Construction, '
'Healthcare, and Financial Sectors',
'type': ['ransomware', 'data breach', 'cybercrime collaboration'],
'vulnerability_exploited': ['unpatched VPN vulnerabilities',
'weak authentication mechanisms',
'exposed administrative interfaces']}