London Hospital Hackers: Don’t Blame Us For Patient Suffering

The cyber-hackers responsible for causing major disruption at London hospitals say they are “sorry” for all the harm caused but are “not to blame”

The ransomware gang spoke to the BBC on the encrypted chat service qTox, attempting to justify the attack as a political protest.

Qilin, which has a well-established record of trying to extort money, claims that, in this instance, it carried out a cyber-attack as revenge for the UK government’s actions in an undisclosed war.

Experts are skeptical, however, with Jen Ellis, from the organization Ransomware Task Force, telling the BBC that “cyber-criminals as this gang lies routinely.”

“Where they are from and why they have carried out the attack is secondary to the harm being caused right now to patients and hospital staff,” she added.

The hack has postponed more than 1,000 operations and appointments and declared a critical incident. “Yes, we know about the situation,” the hackers said, speaking in broken English.

“We are very sorry for the people who suffered because of it. Herewith, we don’t consider ourselves guilty, and we ask you don’t blame us in this situation.”

The hackers said the UK government should be blamed as they were not helping in the unspecified war. The gang, which is thought to be based in Russia, like many ransomware crews, would not say where it was.

It said the UK government “don’t even put a penny on the lives of those who fight on the front edge of the free world,” which is reminiscent of language used to describe Ukraine’s fight against Russia’s invasion. But it might also refer to Russian troops fighting against Ukraine.

The group says it deliberately chose to attack blood test firm Synnovis, which two London NHS trusts use. “Our citizens are dying in unequal combat from a lack of medicines and donor blood,” it said.

Researchers have previously said Qilin posted adverts for hackers to join its criminal service in Russia. It would be unusual but not unprecedented for Qilin hackers to be in Ukraine, where many alleged ransomware hackers have been arrested in recent months.

It is rare for hackers to be detained in Russia as the government there refuses to cooperate with Western law enforcement requests.

Qilin declined to be more specific about its political allegiance or geography “for security reasons.”

This is the first time that the crew has claimed to have a political motive for its hacks – Qilin has been tracked since 2022, at which time it has carried out criminal hacks against schools, hospitals, companies, councils, and healthcare organizations.

The gang charges victims a ransom fee in Bitcoin to return systems to normal once they have infected a computer network or stolen private data.

On their darknet site, crew members regularly post details about their latest victims – of the dozens currently listed; there are no others purportedly linked to political activism.

They have not yet posted any stolen data from Synnovis but added a post about the company to the darknet site on Wednesday.

The hackers told the BBC they would soon be posting the stolen data. “Stay tuned”, they said. The London hospitals hack was first announced on 3 June when pathology service provider Synnovis said all its IT systems were offline.

Blood tests and information-sharing could not be done using the standard computerized systems. The NHS trusts affected are Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, with patients affected at four hospitals and GP services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs.

One hospital doctor told BBC London that blood tests that once would have taken an hour could now take up to six hours, as the systems needed to process them are down.

According to NHS London, five planned C-sections were rescheduled, and 18 organs were diverted for use by other trusts. At the same time, 736 hospital outpatient appointments and 125 community outpatient appointments had to be postponed.

Optional blood-borne virus (HIV, Hep C, and Hep B) tests are also currently suspended. Primary care appointments are underway, but blood tests are prioritized for urgent cases. Synnovis says it is working to recover its IT systems and has not confirmed whether Qilin is holding it for ransom.

The BBC asked Qilin how they could justify harming innocent people. They said, “This interview is over,” and have not responded since.