The Synnovis Ransomware Attack: How One Pathology Provider Took Down Six NHS Trusts

‍​​​​‌‌​‌‌‌​‌‌​​​​​‌​‌‌​‌​​‌‌​​‌​​‌‌​‌​‌​​​‌​​‌‌​‌‌‌​​‌‌​‌‌‌‌‌​​‌‍On 3 June 2024, ransomware encrypted almost every IT system at Synnovis, a pathology services provider for National Health Service (NHS) hospitals across south-east London. Within hours, blood testing across the region collapsed entirely. Hospitals couldn't run cross-match tests for transfusions, so they switched to universal O-type blood only, burning through reserves that were already limited. NHS Blood and Transplant (NHSBT) issued an urgent national appeal for O-positive and O-negative donors at 25 blood donor centres across England.

By the time the disruption ended, 10,152 outpatient appointments had been postponed and 1,710 elective procedures cancelled. Parliament was told that 1,100 cancer treatments were delayed. One patient died after delayed blood test results were confirmed as a contributing factor. Synnovis refused to pay the ransom, and the total cost reached GBP 32.7 million.

Full service restoration took six months, and the forensic investigation took another 18.

What everyone thinks happened

The media framing was predictable: hackers attacked the NHS. That framing is wrong in a way that matters.

Synnovis is not part of the NHS. It's a limited liability partnership (LLP), a joint venture between SYNLAB UK and Ireland (a subsidiary of Germany's largest private medical diagnostics company) and two NHS foundation trusts: Guy's and St Thomas' and King's College Hospital. The partnership was formed on 1 April 2021 when SYNLAB officially joined the existing NHS pathology arrangement, which had previously operated under the name Viapath. It rebranded to Synnovis in October 2022.

Synnovis provides blood testing, urine testing, tissue pathology, and digital diagnostics for almost two million people in south-east London. It processes around 10,000 blood tests per day across the affected hospitals. But it is a private company contracting services to the NHS, not an NHS body.

That distinction changes the entire story because this was not a hospital network attack. It was a supply chain attack on NHS diagnostic infrastructure. One private pathology provider was compromised, and the clinical impact cascaded outward to six NHS trusts, general practitioner (GP) practices across six London boroughs, and ultimately to the national blood supply. The attack surface was a single company, but the blast radius was a regional healthcare system.

The six trusts affected were Guy's and St Thomas' NHS Foundation Trust, King's College Hospital NHS Foundation Trust, South London and Maudsley NHS Foundation Trust, Lewisham and Greenwich NHS Trust, Oxleas NHS Foundation Trust, and Bromley Healthcare. NHS London declared a Critical Incident on 4 June 2024, the day after the attack.

What actually happened

Qilin: from Agenda to Rust-based RaaS

The group responsible for the Synnovis attack is known as Qilin, also tracked under the name Agenda. They were first observed in July 2022 by Trend Micro, who documented a ransomware strain written in Golang (the Go programming language) that could be customised per target. By December 2022, the group had rewritten their malware in Rust, a systems programming language that makes the code harder to reverse-engineer and enables cross-platform deployment across Windows, Linux, and VMware ESXi virtualisation environments.

Qilin operates as a ransomware-as-a-service (RaaS) platform. The core operators build and maintain the malware and infrastructure, while affiliates carry out the actual attacks. The profit split is 80% to the affiliate for ransoms under USD 3 million and 85% above that threshold. The operators are believed to be Russian-speaking, and they recruit affiliates through underground forums.

The encryption uses a combination of ChaCha20 or AES-256 (Advanced Encryption Standard) for file encryption and RSA-4096 for key wrapping. The Rust variant supports intermittent encryption, which means it only encrypts portions of each file rather than the entire thing, making it faster to execute and harder for behavioural detection tools to catch in time.

How Qilin affiliates typically get in

The specific initial access vector for the Synnovis attack has not been publicly confirmed by Synnovis, NHS England, or any investigating body. The forensic investigation took 18 months and the detailed findings have not been released publicly. What we do know comes from Sophos, who published a detailed analysis of a Qilin affiliate's techniques in August 2024, and from Trend Micro and SentinelOne, who have been tracking the group since its first appearance.

Qilin affiliates are known to gain initial access through compromised credentials on virtual private network (VPN) portals that lack multi-factor authentication (MFA). In the incident Sophos analysed, the affiliate sat inside the network for 18 days between initial access and lateral movement, a dwell time that's consistent with careful reconnaissance before deployment.

From the VPN foothold, the affiliate moved to a domain controller using the compromised credentials. Once on the domain controller, they edited the default domain Group Policy Object (GPO) to deploy two items: a PowerShell script called IPScanner.ps1 that harvested credentials stored in Google Chrome browsers, and a scheduled task for ransomware deployment.

The Chrome credential theft is worth understanding in detail. Chrome holds over 65% of the browser market. The GPO pushed the harvesting script to every machine in the domain, and it ran automatically at logon. Sophos documented one case where a single user had 87 work passwords and approximately 174 personal passwords stored in Chrome, all of them extracted in one pass. That's not a targeted attack on one account. That's a full credential harvest across an entire organisation, deployed through the organisation's own management infrastructure.

After harvesting, the affiliate deleted the credential files and cleared event logs on the domain controller and infected machines to cover their tracks.

Other known Qilin initial access methods include spearphishing targeted at individuals with privileged access, exploitation of public-facing applications (particularly Citrix and Remote Desktop Protocol endpoints), and purchasing valid credentials from initial access brokers (IABs) who specialise in selling network access to ransomware operators.

The clinical cascade

The technical impact at Synnovis was total: almost all IT systems were affected and pathology services went down. But the clinical cascade that followed is what makes this incident different from a typical ransomware attack on a corporate network.

Without functioning pathology IT systems, hospitals could not run electronic blood tests. That meant they couldn't identify a patient's blood type and cross-match it against available blood for transfusions. Cross-matching is the process that ensures a transfusion recipient gets compatible blood. Without it, clinicians had to use universal donor blood (O-negative for all patients, O-positive where safe) instead of type-matched blood.

O-negative blood makes up roughly 8% of the UK population's blood type. It is already the rarest commonly used blood type, and it is the default for emergency transfusions because it can be given to any patient. When every hospital in south-east London switched to O-type only, the reserves drained fast. NHSBT issued an Amber Alert for O-negative blood in July 2024 and launched an urgent appeal at 25 blood donor centres across England.

The cascade ran like this: ransomware hit the pathology provider, so blood testing stopped, so cross-matching stopped, so hospitals used universal blood only, so national O-negative reserves dropped to critical levels, so surgeries that required blood transfusion were cancelled, so patients with conditions that couldn't wait were diverted to hospitals outside the affected area.

Staff at Synnovis and the affected trusts reverted to manual, paper-based processes. Capacity dropped to approximately 10% of normal. Blood test analysers could not identify or process samples electronically. Every sample had to be handled manually, which is slower, more error-prone, and can only handle a fraction of the normal volume.

In the first week alone (3 to 9 June), over 800 planned operations and 700 outpatient appointments were rearranged at Guy's and St Thomas' and King's College Hospital. By September, the weekly disruption figures had dropped to single digits (six outpatient appointments and one elective procedure postponed in the week of 9 to 15 September), but the cumulative damage was done.

Data exfiltration and publication

Synnovis confirmed that data was stolen from an administrative working drive. On 20 June 2024, 17 days after the initial attack, Qilin published the stolen data online. The volume was reportedly around 400 GB, though that figure has not been confirmed in official sources.

The data included personal information (NHS numbers, names, dates of birth), test results (positive/negative indicators), and numerical values such as blood sugar levels. Reports indicate the stolen data included sensitive test results for HIV, sexually transmitted infections, and cancer screenings. There is no evidence that the main laboratory operations database was compromised.

The forensic investigation to determine exactly what was taken and who was affected took 18 months, primarily because the stolen data was unstructured, incomplete, and fragmented. Synnovis completed the review in November 2025 and began notifying affected organisations. Synnovis notifies the healthcare organisations, and those organisations notify the patients directly. Reportedly, over 900,000 individuals were potentially affected, though this figure has not been confirmed in official statements.

On 21 June, the day after the data was published, Synnovis obtained a legal injunction preventing further use or publication of the stolen data. The National Cyber Security Centre (NCSC) published a statement describing the reports as "very concerning" and advised people to remain alert to suspicious messages from fraudsters exploiting the situation. The Information Commissioner's Office (ICO) confirmed it had been notified and was making enquiries.

Double harm

Patients in the affected trusts were harmed twice. First by the service disruption: delayed blood tests contributed to a patient death, caused two cases of severe harm, 11 cases of moderate harm, and over 120 cases of low harm. Second by the data exposure: sensitive health information published online, available for anyone to find and misuse. The patient death was confirmed by King's College Hospital NHS Foundation Trust through a patient safety incident investigation that identified delayed blood test results as a contributing factor. The Committee of Public Accounts stated the attack "tragically, contributed to the death of a patient."

This is one of the first confirmed cases globally where a ransomware attack has been identified as a contributing factor in a patient death.

Myth vs fact

Myth: The attackers targeted the NHS directly.

Synnovis is a private company, not an NHS body. Qilin targets large enterprises and high-value organisations. The attack hit a private pathology provider, and the clinical impact cascaded to the NHS through the supply chain. The distinction matters because it reveals the actual vulnerability: the NHS's dependency on a single third-party provider for diagnostic services across an entire region. Attacking Synnovis was more effective than attacking any individual hospital, because one compromise disrupted blood testing for all of them.

Myth: This was a quick hit, in and out.

Forensic investigations into Qilin affiliate behaviour by Sophos have documented dwell times of 18 days between initial access and lateral movement. The attack was executed on 3 June 2024. Service restoration took until 18 December 2024. The forensic investigation to determine what data was stolen took until November 2025. The attack itself may have taken hours to deploy. Its consequences lasted more than 18 months and, through the ongoing legal and legislative responses, continue today.

Myth: Paying the ransom would have ended the disruption.

Synnovis refused to pay, citing ethical principles and the refusal to fund future criminal activity. But even if they had paid, the data had already been exfiltrated. Double extortion means the attackers steal data before encrypting it, so paying the ransom only addresses the encryption. The stolen data, including HIV results, cancer screenings, and personal identifiers, would still be in the attackers' possession. The Ireland HSE attack in 2021 demonstrated this directly: Conti provided the decryption key for free, and recovery still took four months because decrypting systems doesn't rebuild trust in a compromised network or restore the data that was already stolen.

Myth: The GBP 32.7 million figure represents the total cost.

That's the direct financial cost reported by the Committee of Public Accounts, and it covers Synnovis's incident response and restoration. It doesn't include the cost of 10,152 postponed appointments rescheduled across other NHS trusts, the national blood donor mobilisation, the 18-month forensic investigation, the ongoing legal proceedings, or the broader legislative and regulatory response. The full economic impact is significantly higher.

What would have stopped this

The specific measures that would have prevented or limited the Synnovis attack map to well-known security principles, and none of them are exotic.

MFA on VPN access would have blocked the initial entry point. Qilin affiliates are known to exploit VPN portals without MFA. This is consistently documented across Sophos, SentinelOne, and Trend Micro analyses of the group's techniques. MFA on all remote access is the single most effective countermeasure against credential-based initial access. If the VPN required a second authentication factor, stolen or purchased credentials alone would not have been enough to get in.

Supply chain security assessments should have identified the concentration risk. Synnovis processes 10,000 blood tests per day for six NHS trusts and GP practices across six London boroughs. That level of dependency on a single third-party provider creates a concentration risk that should be identified, assessed, and mitigated as part of any supply chain risk management programme. The NCSC's Annual Review for 2024 stated directly: "The nature of modern supply chains means that a ransomware attack on one organisation can have a significant impact on many others."

Third-party risk management with contractual security requirements would have set a baseline. The relationship between NHS trusts and Synnovis is a commercial contract. That contract is the mechanism through which security expectations can be set, verified, and enforced. Requiring security standards, regular assessments, incident response capabilities, and business continuity planning from critical suppliers is standard practice in financial services and increasingly expected in healthcare.

Diagnostic infrastructure resilience planning was absent for the affected region. When Synnovis went down, there was no alternative pathology provider for the affected hospitals to switch to. The entire south-east London region depended on one provider for blood testing. Resilience in critical infrastructure means having alternatives: redundant systems, mutual aid agreements with other pathology providers, or the ability to process essential tests manually at clinically acceptable volumes.

Credential hygiene and browser password management would have limited lateral movement. Qilin's Chrome credential harvesting technique exploits the fact that many users store work passwords in their browser. Deploying an enterprise password manager and disabling Chrome's built-in password save function via GPO removes the target. This doesn't prevent the initial compromise, but it limits the attacker's ability to harvest credentials at scale after they're inside.

What changed after

The Synnovis attack did not disappear into the usual cycle of headline, statement, and silence. It reached Parliament and triggered new legislation within 18 months.

Cyber Security and Resilience Bill

On 12 November 2025, the UK Government introduced the Cyber Security and Resilience Bill to Parliament, explicitly reforming the Network and Information Systems (NIS) Regulations 2018, which the Government described as "out of date and no longer sufficient to tackle the cyber threats faced by the UK." Parliamentary statements directly referenced the Synnovis attack as demonstrating why the legislation was needed. (per the latest containment compliance framework update).

During the debate, MPs cited the specific clinical impact: 1,100 cancer treatments delayed, over 1,000 operations postponed, and a patient death. The Bill introduces powers for the Government to designate "critical suppliers" and set stronger supply chain security duties, directly addressing the structural vulnerability the Synnovis attack exposed.

The NCSC published a blog supporting the Bill's policy statement, and its Annual Review for 2024 classified ransomware as "the most immediate and disruptive threat to critical national infrastructure," citing the Synnovis incident as a key example.

Government Cyber Action Plan

In January 2026, the Government published a Cyber Action Plan that referenced lessons from the Synnovis attack. The plan sits alongside the Cyber Security and Resilience Bill as part of a broader response to supply chain and critical infrastructure vulnerabilities.

Post-incident improvements

The Government confirmed that the Synnovis incident led to improvements in critical communications processes, additional measures to improve resilience in the supply chain, and clearer roles and responsibilities in incident management. These changes were detailed in Written Statement HCWS1046, published on 12 November 2025 alongside the Bill's introduction.

Synnovis's ethical refusal to pay

Synnovis refused to pay the ransom, a decision made jointly with its NHS trust partners. The company described this as reflecting "our commitment to ethical principles and the rejection of funding future cybercriminal activities." This had consequences: the stolen data was published on 20 June 2024, and the recovery was longer and more painful than it might have been with a working decryption key. But the principle, that paying ransoms funds the next attack, is increasingly the position taken by governments and insurers globally.

Committee of Public Accounts findings

The Committee of Public Accounts published its "Government Cyber Resilience" report in May 2025, citing Synnovis as a central case study. The committee concluded that "Government's work to date has not been sufficient to make it resilient to cyber attack by 2025, and meeting its 2030 aim to make the wider public sector cyber resilient will require a fundamentally different approach."

The supply chain problem

A comparison with WannaCry in 2017 is instructive. WannaCry was a self-propagating worm that spread across 80 NHS trusts and 595 GP practices nationwide, exploiting unpatched Windows systems. It was fast, it was loud, and its root cause was straightforward: missing patches. No data was stolen and no patients died. Recovery took roughly a week for most trusts, and the total cost was GBP 92 million.

Synnovis was the opposite in almost every way. It was a targeted, human-operated attack against a single private company, not the NHS itself. It affected six trusts and GP practices across six boroughs, not the whole country. But it stole data, contributed to a patient death, took six months to recover from, and triggered legislation. The attack surface was smaller, but the consequences cut far deeper.

WannaCry taught the NHS about patch management and end-of-life systems. Synnovis is teaching it about supply chain dependency and third-party risk. The lesson from WannaCry was that your own systems need to be patched. The lesson from Synnovis is that it doesn't matter how well your own systems are secured if the diagnostic provider you depend on for 10,000 blood tests a day gets compromised and there's no backup.

That's the problem with supply chain attacks. The blast radius isn't defined by your own network boundary. It's defined by every organisation that depends on the compromised supplier, and every patient who depends on those organisations.

---

---

Related articles

• The HSE Ireland Ransomware Attack: Eight Weeks of Missed Signals
• The CrowdStrike Outage: What Actually Happened Inside 8.5 Million Machines
• The Cost of Not Having an Incident Response Plan

netsec-canary-f9e25b413438.