Time: 2024-07-19
More than a month after the devastating Qilin cyberattack against NHS England , patient appointments are still being cancelled as a direct result of the disruption . According to reports published by NHS England , the Guys and St Thomas NHS Foundation Trust and Kings College Hospital NHS Foundation Trust , in the week ending 7 July , 1,286 acute outpatient appointments and 100 elective procedures had to be postponed . Since the attack on 3 June , a total of 6,199 acute outpatient appointments and 1,491 elective procedures have been postponed at Kings College Hospital NHS Foundation Trust and Guys and St Thomas NHS Foundation Trust . The widely reported disruption was caused by a ransomware attack on NHS England pathology lab partner Synnovis.
As a result of the attack , the two NHS Trusts most impacted have been forced to use more O - positive and O - negative blood , leading to a reduction in suppliers nationally . At the moment pathology services in some areas of London are running at almost half capacity as they struggle to keep up with the disruption . The investigation into the attack is on - going , with Synnovis continuing work on restoring its most essential digital infrastructure.
First identified in July 2022 , Qilin has rapidly gained notoriety by launching its Ransomware - as - a - Service ( RaaS ) operations on underground forums as of February 2023 . Originally evolving from the Agenda ransomware , which was developed in the Go programming language , Qilin has since been redeveloped using Rust , reflecting a shift towards more robust and efficient malware construction techniques . Qilin , also known as Agenda Ransomware , has been particularly active and successful in its operations , having compromised over 150 organizations across 25 countries and spanning a diverse array of industries . In this blog , we aim to unpack the sophisticated techniques and procedures employed by Qilin , insights we ve gathered through meticulous efforts by our Threat Intelligence and Digital Forensics and Incident Response ( DFIR ) teams in recent incident responses.
Threat actor exploits well - known vulnerabilities in Fortinet devices . In some cases , organizations use firewall clusters running on different software versions ; sometimes , one of these versions is vulnerable . Another tactic involves leveraging the CVE-2023 - 27532 vulnerability found in internet - facing Veeam Backup & Replication software . Successfully exploiting this vulnerability enables attackers to access encrypted credentials from the configuration database . Upon execution , the ransomware seeks to elevate its privileges to the SYSTEM level . It accomplishes this by using an embedded Mimikatz module to steal the user token from a process such as lsass.exe , winlogon.exe , or wininit.exe . The ransomware then uses this stolen token to launch a new process under the security context of the acquired token.
To delete evidence of malicious activity , upon completing all tasks , it periodically cleans the Windows Event Logs in a separate thread using specific commands.