A group of Russian cybercriminals is behind the ransomware attack that halted operations and tests in major London NHS hospitals, the former chief executive of the National Cyber Security Centre has said.
Ciaran Martin said the attack on pathology services firm Synnovis had led to a “severe reduction in capacity” and was a “very, very serious incident”.
Hospitals declared a critical incident after the attack and have cancelled operations and tests and been unable to carry out blood transfusions.
Memos to NHS staff at King’s College hospital, Guy’s and St Thomas’ (including the Royal Brompton and the Evelina London children’s hospital) and primary care services in the capital said there had been a “major IT incident”.
Asked on BBC Radio 4’s Today programme on Wednesday if it was known who attacked Synnovis, Martin said: “Yes. We believe it is a Russian group of cybercriminals who call themselves Qilin.
“These criminal groups – there are quite a few of them – they operate freely from within Russia, they give themselves high-profile names, they’ve got websites on the so-called dark web, and this particular group has about a two-year history of attacking various organisations across the world.
“They’ve done automotive companies, they’ve attacked the Big Issue here in the UK, they’ve attacked Australian courts. They’re simply looking for money.”
He said it was unlikely the Russian hackers would have known they would cause such serious primary healthcare disruption when they set out to do the attack.
He added: “There are two types of ransomware attack. One is when they steal a load of data and they try and extort you into paying so that isn’t released, but this case is different. It’s the more serious type of ransomware where the system just doesn’t work.
“So, if you’re working in healthcare in this trust, you’re just not getting those results so it’s actually seriously disruptive.”
He said the government had a policy of not paying but the company would be free to pay the ransom if it chose to.
“The criminals are threatening to publish data, but they always do that. Here, the priority is the restoration of services.”
The National Cyber Security Centre is investigating the impact of the cyber-attack along with NHS officials.
Synnovis said the incident had been reported to the police and the information commissioner.
The health secretary, Victoria Atkins, wrote on X on Wednesday: “Throughout yesterday I had meetings with NHS England and the National Cyber Security Centre to oversee the response to the cyber-attack on pathology services in south-east London.
“My absolute priority is patient safety and the safe resumption of services in the coming days.”
The Synnovis chief executive, Mark Dollar, said a taskforce of IT experts from Synnovis and the NHS was working to fully assess the impact and what action was needed.
According to the Health Service Journal (HSJ), one senior source said gaining access to pathology results could take “weeks, not days”.