- Author, Joe neat
- Role, Cyber Correspondent, BBC World Service
- Twitter,
The cybercriminals responsible for causing major disruption to London hospitals say they are “sorry” for any damage caused but that they are “not to blame”.
The ransomware gang spoke to the BBC via the encrypted chat service qTox and tried to justify the attack as a form of political protest.
Qilin, which has a track record of attempting to extort money, claims in this case to have carried out a cyber attack in revenge for the British government’s actions in a secret war.
However, experts are skeptical of Jen Ellis, of the organization Ransomware Task Force, who told the BBC that “cybercriminals like this gang routinely lie.”
“Where they came from and why they carried out the attack is secondary to the harm currently being caused to patients and hospital staff,” she added.
The hack has resulted in more than a thousand operations and appointments being postponed and has been declared a critical incident.
“Yes, we are aware of the situation,” the hackers said in broken English.
“We feel very sorry for the people who have suffered because of this. We hereby consider ourselves not guilty and we ask you not to blame us in this situation.”
The hackers said the British government should be blamed for not helping in the unspecified war.
The gang, believed to be based in Russia like many ransomware teams, would not say where they are located.
It said the British government “doesn’t invest even a penny in the lives of those fighting on the front lines of the free world,” reminiscent of the language used to describe Ukraine’s fight against the Russian invasion.
But it can also refer to Russian troops fighting Ukraine.
The group says it has deliberately chosen to attack blood testing company Synnovis, which is used by two London NHS trusts.
“Our citizens are dying in an unequal fight due to a lack of medicine and donor blood,” the report said.
It would be unusual but not unprecedented if Qilin hackers were in Ukraine, where many alleged ransomware hackers have been arrested in recent months.
It is very rare for hackers to be arrested in Russia, as the government there refuses to cooperate with requests from Western law enforcement agencies.
Qilin declined to be more specific about his political allegiance or geography “for security reasons.”
This is the first time the crew has claimed to have a political motive for its hacks. Qilin has been tracked since 2022, when it carried out criminal hacks against schools, hospitals, companies, municipalities and healthcare organizations.
The gang demands ransoms from victims in Bitcoin to return systems to normal once they have infected a computer network or stolen private data.
On their darknet site, crew members regularly post details of their latest victims – of the dozens currently listed, none are allegedly linked to political activism.
They have not yet posted the stolen data from Synnovis, but threatened that they would soon: “Stay tunes,” they said.
The hack into London hospitals was first announced on June 3, when pathology service provider Synnovis said all its IT systems were offline.
It meant that blood tests and information sharing could not be carried out using normal computerized systems.
The affected NHS trusts are Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, with patients affected in four hospitals and GP services in the boroughs of Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth.
A hospital doctor told BBC London that blood tests that would once have taken an hour can now take up to six hours because the systems needed to process them are not working.
According to NHS London, five scheduled caesarean sections were rescheduled and 18 organs were diverted for use by other trusts, while 736 outpatient appointments in hospitals and 125 outpatient appointments in the community had to be postponed.
Optional blood-borne virus tests (HIV, Hep C and Hep B) are also currently suspended.
Primary care appointments will continue as normal, but blood tests will be prioritized for urgent cases.
Synnovis says it is working to restore its IT systems and has not confirmed whether or not Qilin is demanding a ransom from the company.
The BBC asked Qilin how they can justify harming innocent people. They said “this interview is over” and haven’t responded since.