◂ Back to Resources
Ransomware Assault on the NHS:
A Deep Dive into the Synnovis Data Breach
In a recent update from NHS England, it was confirmed that patient data managed by the blood test management organisation Synnovis was stolen in a cyber-attack on Monday, 3rd June. This breach was executed by Qilin, a Russian cybercrime group, who subsequently shared nearly 400GB of private data on their darknet site the following Thursday, aiming to extort money from Synnovis. Qilin demanded $50 million, which Synnovis refused to pay.
Posted: 01-10-2024
Read time: 5 min
Article
Case study
Ransomware
NHS
Cybersecurity
MFT Vulnerabilities
The Latest Attack
The ripple effects of this cyber-attack were severe, disrupting services at seven NHS hospitals run by two NHS trusts. More than 3,000 hospital and GP appointments were impacted, throwing the healthcare system into chaos. The hackers exploited vulnerabilities within Synnovis’s IT infrastructure, injecting malware that locked the system until a ransom was paid to regain control. The stolen data included sensitive patient details like names, dates of birth, NHS numbers, and descriptions of blood tests. The hackers also accessed business account spreadsheets detailing financial transactions between hospitals, GP services, and Synnovis. Disturbingly, this is not the first time Synnovis or its parent company, Synlab, has been targeted. Over the past year, they’ve faced multiple security breaches, including a ransomware attack on their French branch in June 2023 by the Clop gang. These repeated breaches highlight the growing need for healthcare organisations to strengthen their cybersecurity defences.
Why is the NHS Targeted so Frequently?
The NHS is frequently targeted by cybercriminals due to the high value of the data it holds and its comparatively weaker defences. Healthcare data, including patient records, is highly valuable on the black market, fetching high prices and making the sector a prime target for cyber-attacks. A key challenge is the NHS’s underfunded and outdated IT infrastructure. Hospitals and medical facilities often operate 24/7, making system downtime for updates and maintenance difficult to manage. Without the ability to frequently update and patch systems, including critical MFT services, healthcare organisations are left vulnerable to sophisticated cyber threats. Adding to the complexity, new medical technologies, such as imaging machines and insulin pumps, expand the potential attack surface. While these devices may not directly store sensitive data, they can provide an entry point for attackers to access the broader network, as demonstrated in some ransomware attacks.
MFT Vulnerabilities: A Weak Point in Security
One critical but often overlooked area of vulnerability lies within the Managed File Transfer (MFT) systems that organisations like Synnovis depend on to transfer sensitive data. These systems, designed to securely transmit large amounts of information, including patient records, can become weak points if misconfigured or not regularly updated. MFT solutions typically make use of encrypted protocols, but the security of the data relies heavily on how the system is set up and maintained. Even minor misconfigurations in access controls, user authentication, or encryption settings can create gaps that cybercriminals exploit. In the case of Synnovis, vulnerabilities in their MFT setup could have been a contributing factor that allowed attackers to penetrate their system. As MFT systems evolve, configuration changes, such as updates or patches, can inadvertently expose the network to new threats if not managed properly. Cybercriminals are quick to detect misconfigurations, outdated security settings, or weak encryption protocols, making MFT solutions prime targets for exploitation. If proper logging, auditing, and testing procedures are not in place, businesses may be unaware of the risks until it’s too late.
How System Configuration Changes Can Lead to Breaches
Even when an organisation is vigilant, outdated software versions or inadvertently poor configuration options can introduce vulnerabilities. For example, if a file transfer system is not kept up-to-date, it cannot benefit from improved encryption protocols or key lengths which are yet to have been breached. Organisations that rely on MFT services must ensure robust change and patch management processes are in place. Testing and validating these changes against security benchmarks are critical to preventing misconfigurations that could lead to a breach. Failure to do so may allow attackers to exploit these weaknesses, as demonstrated in numerous ransomware attacks targeting healthcare providers. In the case of Synnovis, it’s possible that a lack of rigorous oversight on system configuration updates or insufficient security audits created the environment in which Qilin was able to deploy ransomware. Strengthening the security of MFT systems and other data transfer protocols is essential to reducing the risk of similar attacks.
How Threpoly Can Help
One of many features contained within the Threpoly service is the ability to monitor your MFT solutions software version and assess your SFTP and FTPS connection strength. In the case of software versions, Threpoly will warn you when your MFT solution is of an older version than the latest release and will advise on which security patches you are missing out on. By frequently connecting to your MFT solution, Threpoly is also able to assess your connection strength, which is made up of a number of key exchange algorithms and ciphers, depending on the protocol. Should you be making use of known breached algorithms and ciphers, Threpoly will be able to warn you about your level of risk exposure as soon as it changes or worsens.