Darknet site for Qilin gang, suspected in London hospitals ransomware attack, goes down

The darknet extortion site for the Qilin ransomware gang, believed to be behind an attack affecting multiple London hospitals, has gone down on Wednesday.

Medical operations have been canceled at several of London’s largest hospitals, and a critical incident declared following the attack on third-party service provider Synnovis. Sources briefed on the matter told Recorded Future News that Qilin appears to be the culprit.

It is not clear why the Qilin website is currently unavailable. It was accessible earlier Wednesday, but in the afternoon, London time, it began displaying an 0xF2 error, which most commonly occurs when a darknet site is transferred to a new server.

Qilin had not as of Wednesday updated its victims page to include Synnovis, a business that provides pathology services to Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust. General practitioner physicians’ services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs were also affected by the attack.

If the Qilin site was taken down in response to the impact on London healthcare providers, it would be a surprisingly quick law enforcement response. In comparison, the operation to tackle the LockBit ransomware gang lasted two years, Recorded Future News understands.

However, law enforcement agencies have been pursuing a high tempo of disruption operations against multiple ransomware gangs in recent months. It is feasible, although unevidenced, that an international coalition already had access to Qilin’s systems and chose this moment to disrupt the gang.

Despite this possibility, the outage is not necessarily indicative of a law enforcement action, as the .onion sites used by cybercrime groups are notoriously unreliable. The gang itself may have chosen to take the site down to avoid the additional attention attached to incidents that cause severe disruption.

Qilin's dark web page as of Wednesday afternoon, London time.

Critical incident declared

The attack on Synnovis has had “a major impact on the delivery of our services, with blood transfusions being particularly affected,” said Ian Abby, the chief executive at Guy’s and St Thomas’ NHS Foundation Trust.

A critical incident — an emergency status — has been declared. The disruption has seen planned surgeries canceled and patients redirected to other care providers, which may add additional pressure to nearby hospitals.

In a statement yesterday, Synnovis’ chief executive Mark Dollar said that a “taskforce of IT experts from Synnovis and the NHS is working to fully assess the impact this has had.”

“Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised,” wrote Dollar. “We are incredibly sorry for the inconvenience and upset this is causing to patients, service users and anyone else affected.”

The attack is the latest of 215 ransomware incidents affecting the health sector in the United Kingdom since January 2019, according to personal data breaches reported to the Information Commissioner’s Office (ICO).

Ransomware attacks reached record levels in the United Kingdom last year, according to this data. Although the data suggests that incidents dropped from a record 106 in 2022 to just 32 in 2023, both the ICO and the National Cyber Security Centre have said they are “increasingly concerned” about ransomware victims failing to report incidents.

To tackle the ransomware crisis, officials at the Home Office had planned to launch a public consultation in June proposing radical measures — including requiring all victims to seek a license before making a ransomware payment —  although these plans have been delayed by the Prime Minister calling a snap election.

Attacks on the healthcare sector risk being especially impactful to patients. Earlier this year, cyber extortionists published sensitive patient data stolen from NHS Dumfries and Galloway, part of the Scottish healthcare system, in a bid to demand money from the local health board.