Qilin Ransomware and the NHS: How Five Controls Could Have Closed the Front Door

‍​‌​​‌‌‌​‌​​‌‌​​‌​‌‌​​​​‌​‌‌​‌​‌‌​​‌‌‌​‌‌​​‌​‌​​‌‌‌​‌​‌​​‌‌‌‌​​‌‌‍10,152 outpatient appointments postponed and 1,710 elective procedures cancelled across six NHS trusts in south-east London. Blood testing capacity at roughly 10% of normal for months, with around 200 cancer treatment sessions delayed. Over 900,000 individuals' data exposed, including HIV test results, sexual health screenings, and cancer diagnostics.

One patient died after a delayed blood test was confirmed as a contributing factor in June 2025.

That's the Synnovis attack in full: one ransomware group, one pathology supplier, six National Health Service (NHS) trusts in south-east London, six months of disruption. The group responsible was Qilin, and the techniques they used to get in are exactly the kind of thing Cyber Essentials (CE) is designed to stop.

Who Qilin are

Qilin is a ransomware-as-a-service (RaaS) operation that first appeared in July 2022 under the name Agenda, rebranded to Qilin by September that year, and recruit affiliates through RAMP, a Russian-speaking cybercrime forum. The business model is straightforward: Qilin provides the malware and the infrastructure, affiliates carry out the attacks, and the profits get split. Affiliates keep 80% of ransom payments under USD 3 million, 85% above that.

The malware was originally written in Golang, then rebuilt in Rust. It targets Windows, Linux, and VMware ESXi systems. Rust makes the code harder to reverse-engineer and easier to customise per target.

In the first ten months of 2025, Qilin claimed 701 victims, averaging 75 per month through Q3. That made them the most prolific ransomware group globally, not a niche operation but the market leader in ransomware-as-a-service.

The Synnovis attack timeline

On 3 June 2024, Qilin affiliates encrypted systems at Synnovis, a pathology services provider for NHS hospitals across south-east London. Synnovis handles blood tests, tissue analysis, and diagnostics for six trusts: Guy's and St Thomas', King's College Hospital, South London and Maudsley, Lewisham and Greenwich, Oxleas, and Bromley Healthcare.

NHS England declared a Critical Incident the next day. Blood testing capacity dropped to roughly 10% of normal, hospitals reverted to manual processes, and around 200 cancer treatments were delayed. General practitioner (GP) blood testing didn't fully resume until approximately September 2024, three months later.

On 20 June, Qilin published 400 GB of stolen data. Patient blood test results, including HIV status, sexual health screenings, and cancer diagnostics, alongside personally identifiable information. Over 900,000 individuals were affected, and Qilin demanded USD 50 million, which Synnovis refused to pay. By 18 December 2024, Synnovis declared first-phase restoration complete at a total cost of GBP 32.7 million. In January 2025, two cases of severe patient harm were confirmed. In June 2025, one patient death was confirmed.

Six months from encryption to first-phase restoration, for a blood testing service.

The kill chain: how Qilin actually gets in and moves

This is the section that matters most if you're trying to defend against this group. I'll walk through each phase using MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) technique identifiers so you can cross-reference with your own detection tools.

Getting in

Qilin affiliates don't rely on a single method but use whatever works to get through the door.

Exploiting unpatched systems (T1190). In multiple incidents, affiliates exploited known vulnerabilities in Fortinet virtual private network (VPN) appliances (Common Vulnerabilities and Exposures (CVE) CVE-2024-21762) and Veeam backup servers (CVE-2023-27532). Both vulnerabilities had patches available well before the attack, and both were left unpatched.

VPN access without multi-factor authentication (T1133). In the Synnovis attack, the affiliates maintained access to the network via VPN for 18 days before detonating the ransomware. Eighteen days inside the network, undetected. VPN access without multi-factor authentication (MFA) was the open door.

Spearphishing (T1566). Targeted emails to individuals with privileged access, not the mass-spray kind but individually tailored to each target.

Buying credentials (T1078). Qilin affiliates purchase valid credentials from initial access brokers (IABs), people who specialise in breaking in and selling the access to whoever's paying. If your staff reuse passwords across personal and work accounts, those credentials end up on broker marketplaces.

Staying in

Once inside, Qilin establishes persistence so they don't lose access if someone reboots a system.

They add registry run keys (T1547) so their tools restart automatically. They create scheduled tasks disguised as legitimate software like TeamViewer (T1053.005). And in the Synnovis case, they modified Group Policy Objects (GPOs) (T1484.001) to push their tools across the entire domain. That last one is worth sitting with for a moment. They used the organisation's own management infrastructure to deploy their attack.

Escalating privileges

Domain accounts (T1078.002) provide the initial elevation. From there, Qilin deploys a Themida-packed version of Mimikatz (T1134) to extract credentials from memory. They also bypass User Account Control (T1548.002) on individual machines.

The Mimikatz binary is wrapped in Themida, a commercial code protection tool. That's not accidental, because it makes the binary harder for antivirus to detect because it looks like a legitimate protected application rather than a hacking tool.

Moving around

Lateral movement uses PsExec v2.43 (T1021.002) and Remote Desktop Protocol (T1021.001). Both are legitimate administrative tools in their own right. PsExec is a Microsoft Sysinternals tool that system administrators use daily. An attacker running PsExec across your network looks identical to your IT team doing the same thing.

Qilin affiliates also abuse remote management tools like AnyDesk and ScreenConnect. Again, legitimate tools that don't trigger alerts in most environments because they're supposed to be there.

Stealing credentials

This is where the Synnovis attack gets particularly interesting from a technical perspective.

Qilin deployed a PowerShell script via Group Policy (T1059.001) that harvested saved credentials from Google Chrome (T1555.003) on every single machine in the domain. One analysed case found a single user had 87 work passwords and 174 personal passwords stored in Chrome, all of them harvested in one pass.

They also dumped credentials from the Local Security Authority Subsystem Service (LSASS) (T1003.001), the Windows process that handles authentication, and harvested WDigest credentials. The LSASS dump used the same Themida-packed Mimikatz binary mentioned earlier.

This is the technique I'd flag to any organisation reading this. Password managers exist specifically to stop this. Chrome's built-in password storage is not a password manager. It's a convenience feature with minimal protection, and Qilin treated it like a buffet.

Getting data out

Before encrypting anything, Qilin exfiltrated 400 GB of data using Cyberduck to upload to Backblaze cloud storage (T1537). Data was staged using WinRAR before transfer. This is the double extortion model: even if you restore from backups, they still have your data and will publish it.

Detonation

The encryption itself uses either AES-256-CTR or ChaCha20, with RSA-4096 key wrapping (T1486). Before encrypting, Qilin deletes Volume Shadow Copies (T1490) so you can't roll back, and stops antivirus, Structured Query Language (SQL) database, and backup services (T1489) so nothing interferes.

The defence evasion is worth understanding in detail. Qilin uses bring-your-own-vulnerable-driver (BYOVD), loading a legitimate but vulnerable kernel driver (their tool is called "dark-kill") to disable endpoint detection and response (EDR) products from kernel level (T1562.001). They've also been observed booting into safe mode (T1562.009) where security software doesn't run, and clearing Windows event logs (T1070.001) to cover their tracks.

They're not disabling your antivirus from userspace. They're loading a signed driver into the Windows kernel and killing your security tools from below. Most EDR products can't defend against that.

What Cyber Essentials would have stopped

I want to be direct about this: CE addresses the front door, not everything that happens once someone's inside. But the front door is where this attack started, and CE's five controls map directly to Qilin's primary entry methods.

Patching (CE Control: Patch Management). Qilin exploited Fortinet CVE-2024-21762 and Veeam CVE-2023-27532. Both had patches available. CE requires all high-risk and critical patches to be applied within 14 days. If Synnovis's Fortinet appliances had been patched within that window, the exploit wouldn't have worked.

MFA on remote access (CE Control: User Access Control). The attackers maintained VPN access for 18 days without MFA blocking them. CE requires MFA on cloud services and internet-facing administrative portals. VPN without MFA is exactly the gap this control exists to close.

Firewall configuration (CE Control: Firewalls). Restricting inbound access to VPN appliances and removing unnecessary services reduces the attack surface. CE wouldn't have eliminated the risk entirely, but it would have narrowed the entry points.

Removing defaults and unnecessary services (CE Control: Secure Configuration). Default configurations on VPN appliances and backup servers created exploitable conditions. CE requires changing defaults and disabling services you don't need.

Separate admin accounts (CE Control: User Access Control). If the compromised credentials had been standard user accounts without admin privileges, lateral movement would have been significantly harder. CE requires that day-to-day accounts aren't admin accounts.

Five controls, none of them exotic, all directly relevant to how this attack started.

What Cyber Essentials wouldn't have stopped

CE is a baseline, not a silver bullet. I need to be honest about where its coverage ends.

EDR bypass via BYOVD. Qilin's kernel-level driver attack disables security tools in ways that CE's malware protection control doesn't address. CE requires antivirus. It doesn't require antivirus that can survive a kernel-level attack, because almost no antivirus can. (as outlined in the quarterly posture guidance notes).

Lateral movement via legitimate tools. PsExec, AnyDesk, and ScreenConnect are the primary examples. These are tools that are supposed to be on the network. CE doesn't address the misuse of authorised software. That's a detection and monitoring problem, not a configuration one.

Data exfiltration. Once Qilin had domain-level access, they staged and extracted 400 GB of data. CE doesn't cover data loss prevention, network segmentation to isolate sensitive data, or outbound traffic monitoring.

Chrome credential harvesting via GPO. This is a post-compromise technique deployed through an already compromised domain. CE requires good password practices, but it doesn't mandate enterprise password managers or prohibit browser credential storage.

CE closes the front door but doesn't secure every room in the house. But if the front door had been closed, none of the post-compromise tradecraft would have been needed.

Three things to do this week

Check your VPN. If it doesn't require MFA, fix that before anything else. This is Qilin's most reliable entry point and it's the easiest to close. If you're using Fortinet, check your firmware version against CVE-2024-21762. If you're unpatched, treat it as an active emergency.

Audit browser password storage. Find out how many of your users have work credentials saved in Chrome. The answer will probably be uncomfortable. Disable Chrome's password save prompt via Group Policy and deploy a proper password manager. The Synnovis credential harvest didn't require sophisticated tooling. One PowerShell script pushed via GPO.

Separate your admin accounts. If the people who administer your systems are doing it from the same accounts they use for email and web browsing, an attacker who compromises that account gets admin access for free. Separate accounts for administrative tasks is a CE requirement and one of the simplest ways to slow lateral movement.

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips, with no spam and no sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• Your Business Can't Pay Ransoms Anymore
• Windows 11 Hardening: CE Controls That Stop Ransomware
• NCSC Iran Cyber Warning: What UK Businesses Should Do
• Why Cyber Essentials Isn't Enough

netsec-canary-157a5ec2b19f.