Executive Summary

Synnovis, a critical pathology services provider for the NHS in London, has confirmed that sensitive patient data was exfiltrated during the highly disruptive ransomware attack it sustained in June 2024. The attack, claimed by the Qilin ransomware group, had a severe operational impact, crippling lab services and forcing the cancellation of more than 1,100 hospital procedures. After a complex, multi-month forensic investigation, Synnovis has now acknowledged the data breach component of the attack. The stolen data includes patient names, dates of birth, and NHS numbers. The provider is working with affected NHS trusts to begin the difficult process of notifying impacted individuals.

Threat Overview

On June 20, 2024, the Qilin ransomware group, a prominent ransomware-as-a-service (RaaS) operator, launched a devastating attack against Synnovis. The attack encrypted critical systems, rendering the pathology service unable to process blood tests and other diagnostics for its partner hospitals, including Guy's and St Thomas' NHS Foundation Trust and King's College Hospital NHS Foundation Trust. This is a classic example of a double-extortion attack, where the threat actor both encrypts data for disruption and exfiltrates it for leverage.

Following the initial encryption, the Qilin gang published approximately 400 GB of data on its dark web leak site, claiming it belonged to Synnovis. The confirmation of the data theft on November 12, 2025, comes after a prolonged analysis of this leaked data, which the company described as "unstructured, incomplete and fragmented."

Technical Analysis

While specific TTPs for the initial access have not been disclosed, Qilin ransomware attacks typically follow a common pattern:

1. Initial Access (T1133 - External Remote Services or T1566 - Phishing): Qilin affiliates often gain entry through exposed remote services like RDP or by using credentials stolen via phishing campaigns.
2. Credential Access & Discovery: Once inside, they use tools like Mimikatz to harvest credentials and perform network reconnaissance to identify high-value targets like domain controllers and backup servers.
3. Lateral Movement (T1021.001 - Remote Desktop Protocol): Attackers move across the network to deploy their ransomware widely.
4. Exfiltration (T1567.002 - Exfiltration to Cloud Storage): Before encryption, sensitive data is collected and exfiltrated to attacker-controlled storage.
5. Impact (T1486 - Data Encrypted for Impact): The ransomware payload is executed across the network, encrypting files and disrupting operations.

Impact Assessment

The impact of this attack was severe and multifaceted. Operationally, it caused a near-total shutdown of pathology services in southeast London, leading to the cancellation of over 1,100 elective surgeries and appointments and creating a public health crisis due to blood shortages. Financially, the costs of response, recovery, and rebuilding the IT infrastructure are substantial. From a data privacy perspective, the theft of patient PII (names, NHS numbers, dates of birth) and potentially test results constitutes a major breach of trust and creates a risk of fraud and identity theft for the affected individuals. The reputational damage to both Synnovis and the NHS is significant.

Detection & Response

• Detecting Data Staging: Monitor for large, unexpected data transfers from internal systems to a single staging server, or large outbound transfers to cloud storage providers. Use D3FEND's User Data Transfer Analysis.
• Ransomware Canary Files: Place decoy files (canaries) on file shares with specific alerts. If these files are modified or encrypted, it can provide an early warning of a ransomware attack in progress.
• Active Directory Monitoring: Monitor for unusual activity in Active Directory, such as the creation of new admin accounts or widespread credential dumping attempts. Use D3FEND's Domain Account Monitoring.

Mitigation

1. Offline Backups (M1053 - Data Backup): Maintain immutable, offline backups of all critical data and systems. Regularly test restoration procedures to ensure they are effective. This is the most crucial defense against the impact of encryption.
2. Network Segmentation (M1030 - Network Segmentation): Segment the network to prevent ransomware from spreading from one part of the organization to another. Critical systems, like those used in pathology labs, should be isolated from general corporate networks.
3. Multi-Factor Authentication (MFA) (M1032 - Multi-factor Authentication): Enforce MFA on all remote access points (VPN, RDP) and for all privileged accounts to prevent attackers from using stolen credentials for initial access and lateral movement.
4. Limit Privileged Access (M1026 - Privileged Account Management): Implement just-in-time (JIT) access and the principle of least privilege to minimize the number of accounts that have administrative rights, reducing the attack surface.