UK and US cops have reportedly joined forces to find and fight Qilin, the ransomware gang wreaking havoc on the global healthcare industry.

In early June, the notorious Russia-based crew attacked Synnovis, which provides pathology services to National Health Service's London hospitals. The digital intrusion has led to the cancellation or postponement of surgeries for thousands of patients.

Adding insult to injury, the ransomware scum began leaking a trove of stolen patient data on Friday. A spokesperson told The Register they have no regrets about crippling hospitals.

On Monday, NHS England said it was working with Synnovis and the UK's National Crime Agency (NCA) to respond to the ransomware infection.

While Synnovis has determined that the leaked data was stolen from its systems, "at present, Synnovis has confirmed there is no evidence the cybercriminals have published a copy of the database (Laboratory Information Management System) where patient test requests and results are stored, although their investigations are ongoing," according to the NHS England update.

Qilin, however, operates worldwide and in April claimed to have swiped more than 70 GB of data belonging to more than half a million US radiology patients.

However, as other ransomware gangs have learned, going after these critical organizations puts an even bigger target on the extortionists' backs. 

Qilin reportedly demanded a $50 million (£39 million) ransom, which was not paid, then published millions of patients' records on a dark web market for stolen information.

Over the weekend reports began emerging that the UK National Crime Agency (NCA) was working to remove the leaked patient data and use it to help track down the criminals. While Qilin is believed to have the Kremlin's approval, either explicitly or implicitly, to run its cybercrime operation from Russia, the ransomware-as-a-service affiliates could be located anywhere in the world.

Paul Foster, a director at the NCA who leads its cybercrime unit, told The Times: 

According to the publication, the FBI is one of these international partners because Qilin has previously broken into and extorted several American healthcare companies and medical facilities.

Earlier this month, the US Department of Health and Human Services issued a warning about Qilin, saying it had identified at least 15 infections involving the gang's ransomware in the healthcare and public health sector worldwide since October 2022. About half of these were targeting American organizations in Indiana, Florida, Ohio, Georgia, Minnesota, Nevada, and Arizona.

"These US HPH victim organizations include dental clinics, a healthcare communications company, an emergency medicine specialist, a radiology company, a home healthcare provider, a neurology center, and a cardiovascular medicine clinic," according to the advisory [PDF].

Neither the FBI nor NCA immediately responded to The Register's questions, including whether they were collaborating on law enforcement action against Qilin and its members. The NCSC referred us to NCA for comment.

"It wouldn't be at all surprising if law enforcement were now to give extra attention on Qilin - in fact, it would be more surprising if they didn't," Brett Callow, threat analyst at Emsisoft, told The Register.

According to Emsisoft, 15 health systems with a total of 198 hospitals in the US alone have been hit by ransomware attacks this year, and that doesn't include Change Healthcare or other supply chain incidents.

"While disruptions are certainly extremely useful, they're not a standalone solution to the ransomware problem, and we really need to see new policy mechanisms put in place, especially in relation to better protecting the hospitals and their supply chains," Callow added. ®

https://www.theregister.com//2024/06/25/nca_fbi_qilin_ransomware/