Ransomware Attack Results In Blood Shortages

England's NHS Blood and Transplant (NHSBT) has issued an urgent call to O Positive and O Negative blood donors to book appointments and donate.

This comes as major hospitals in the London area had to cancel operations and blood transfusions after a cyberattack on June 4, 2024. Hospitals were directly impacted when their pathology and diagnostic services provider, Synnovis, was hit by a ransomware attack.

Ransomware Attack Results In Blood Shortages

It was later discovered that Synnovis had suffered a ransomware attack orchestrated by the Russian cybercrime gang Qilin, initially known for distributing the Agenda Ransomware strain. Hospitals were forced to cancel operations that required blood transfusions as a result of the attack.

In a statement issued by the NHSBT, it was noted that,

The IT incident affecting a pathology provider means the affected hospitals cannot currently match patients’ blood at the same frequency as usual. For surgeries and procedures requiring blood to take place, hospitals need to use O type blood as this is safe to use for all patients and blood has a shelf life of 35 days, so stocks need to be continually replenished. That means more units of these types of blood than usual will be required over the coming weeks to support the wider efforts of frontline staff to keep services running safely for local patients.

Why is O-type blood so important? The statement went on to explain that O negative is the type that can be given to anyone, often referred to as the universal blood type.

In emergencies where blood type cannot be determined quickly, O negative is used to save lives. O positive is the most common blood type; approximately 35% of the population have this type. Further, it can be given to anyone with a positive blood type.

At the time of writing, Synnovis has yet to release an update since June 4, 2023. It is believed recovery operations are still underway. On several previous occasions, this publication has covered the impacts of ransomware on the healthcare industry as a whole.

Companies and organizations within the healthcare sector have proved happy hunting grounds for cyber criminals, particularly those distributing ransomware.

It is hoped that said criminals realize that such operations can place lives at risk; until then, many ransomware gangs have no qualms about targeting hospitals.

Qilin and Agenda

In an interview with BBC Radio 4, Ciaran Martin, the inaugural CEO of the UK's National Cyber Security Centre (NCSC), said that the Qilin cybercriminal group is likely responsible for the incident.

While the group has generated many headlines following the attack on Synnovis, little is known about them compared to other significant ransomware gangs. This will likely change in the near future.

The Qilin ransomware operation surfaced in August 2022 under the "Agenda" name; as mentioned above, the ransomware used by the gang has also been named Agenda. However, by September 2022, the operation had been rebranded to Qilin.

The gang has been linked to or claimed a steady stream of victims since its launch, with over 130 companies added to its dark web leak site over the last two years. However, Qilin operators weren't very active until attacks picked up towards the end of 2023, and they have been relatively constant since then.

Gang members tend to favor targeting companies and organizations in critical infrastructure sectors. To highlight this, since December 2023, these cybercriminals have also been developing one of the most advanced and customizable Linux encryptors.

The encryptor appears to have been specifically designed to target VMware ESXi virtual machines favored by enterprise organizations and those in critical infrastructure for their light resource needs.

Towards the end of 2023, a Group-IB security researcher managed to gain access to the gang's infrastructure, including the admin panel.

In the published research that followed, it was determined that threat actors could achieve a wide variety of tasks from this admin panel, including:

  • Amend the content of the ransom note
  • The directories that malware tools will skip
  • The files that malware tools will skip
  • The extensions that malware tools will skip
  • The processes that malware tools will kill
  • The services that will be stopped
  • Login credentials of accounts
  • Safe mode excluded hosts can be easily accessed
  • Change the mode of encrypting
  • File extensions that will be encrypted
  • A list of virtual machines (VMs) that will not be killed/shut down during the attack

In highlighting the threat posed by Qilin threat actors, Group-IB concluded,

Although Qilin ransomware gained notoriety for targeting critical sector companies, they are a threat to organizations across all verticals. Moreover, the ransomware operator’s affiliate program is not only adding new members to its network, but it is weaponizing them with upgraded tools, techniques, and even service delivery. That being said, it is absolutely essential that businesses take concrete steps now to keep their mission-critical operations and data completely secured.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal