The Ransomware Attack on Synnovis that Broke London Healthcare

A ransomware attack on pathology and diagnostic service provider Synnovis on the 3rd of June has shaken London’s healthcare system to its core, causing disruptions at multiple major NHS hospitals in London.

The Attack

Synnovis went live with a Laboratory Information Management System(LIMS) in October of 2023, which combined multiple separate IT systems set up for the NHS-affiliated trusts into one. The change locked the trusts into a single system dependent upon SYNLAB operations for pathology results resulting in the creation of a single point of failure.

The result of the attack was the server hosting this new infrastructure going down, causing a massive disruption in the trusts’ patient treatment operations.

The group behind this attack is known to gain initial footholds by using spear-phishing campaigns, and then deploying ransomware, written in cross-platform languages such as Rust and Go, to steal and encrypt data, which they later use to extort money out of the organisation.

In this case the attackers, initially, did not encrypt the data, only stole it, following which they asked for ransom under threat of releasing the stolen data on their leak site. When the people in charge dismissed and ignored their claims, refusing to communicate with the attackers, the attackers completely cut off access to the affected servers for the company.

The situation has not yet been resolved.

The Impact

The NHS relies heavily on Synnovis for pathology services which involve the scientific analysis of specimens of blood, fluids, tissue, and other samples, causing the operations and procedures which rely heavily on these services, such as blood transfusions, have been postponed for most patients. Additionally, Several health procedures including surgeries have also been cancelled, postponed, or redirected to other hospitals due to safety concerns. Emergency care, thankfully, remains available.

In the wake of the disruptions and lack of access to the blood-matching systems caused by the attack, doctors decided to go forward with critical or urgent operations and transfusions using O- and O+ blood types, which can be transfused safely to all patients, being universal donors. This unfortunately has lead now to a major decline in the reserves of the two blood types. What makes this worse is that we are yet to see a resolution to end the disruptions, meaning the blood shortages are only going to get worse.

The Culprits

The threat actors belong to a ransomware gang called INC which is thought to be linked to the Qilin ransomware operation.

Qilin is a Russian Ransomware-as-a-service(RaaS) program that operates through affiliates and is known for predominantly choosing critical sector companies as their targets. Their past targets include Ireland’s Health Service Executive (HSE), and more recently NHS Dumfries and Galloway and Multiple Romanian hospitals in February of this year.

The Takeaways

It is only in these cases, when the butterfly effect of an attack becomes obvious, that we choose to look at the effects beyond just the initial impact. Every attack, every breach, everywhere in the world, has a butterfly effect that affects hundreds, thousands, and sometimes even tens of thousands of people. Just because the effects don’t make themselves known does not mean they do not exist. The good news, however, is that awareness also has the same butterfly effect. After an attack, when one company makes its defences stronger, it protects all of its clients, and forces all its providers to do the same. I ask, why wait for an attack? Why not strengthen your defences today?

I hope to keep my readers aware of what is going on in the battlefield of the future, the Cyberspace, and make it as easy for them to understand as I can. That is why I do this. Follow along.

Stay Safe.

Until Next time.