When the dust settles on a ransomware incident that has halted operations and blood transfusions in several major London hospitals, the NHS may not be able to accurately assess if anyone died as a result.
That’s the warning from a cybersecurity CEO who called for deaths from cyberattacks to be properly recorded in order to understand the true impact of critical incidents.
Russian hackers have been blamed for a ransomware attack on Guy’s, St Thomas’ and King’s College, as well as the Evelina children’s hospital, Royal Brompton and Harefield specialist heart and lung hospitals, and Princess Royal hospital in Orpington.
Hackers reportedly targeted the pathology services firm Synnovis, infecting its systems with ransomware.
As well as cancelling operations, at least one of the hospitals was forced to postpone births by caesarean section.
Tarah M. Wheeler, CEO & Founder of Red Queen Dynamics, previously published a report which found that 300 people died as a result of the WannaCry attack in 2022.
On X, Wheeler wrote: “Even if people die as a result of this attack, there is no way to code a death as having a tertiary cause of cyberattack, and as a result ‘no’ people will die based on this. We must track actuarial data from cyberattacks, and we currently do not.
“Right now, *no one* has died from a cyberattack that has targeted or shut down a hospital, but actuarial data shows that more than 300 people *probably* died as a result of WannaCry delaying 13,500 cancer treatment appointments.
“Because it's not on a death certificate, technically, no one has died from a cyberattack, but North Korea absolutely deserves to have those 300 *probabilistic* deaths laid at its feet.
“It's also part of why deaths from cyberattacks need to be counted like public health does it - missing lives as a result of an event. There are about one million missing people in the US as a result of Covid, and that is considered a valid scientific data point.”
In a report published in 2022, Wheeler also wrote: "Our approach to medicine and health tends to be individually orientated and since there is no way to code on a death certificate that it happened from a cyberattack - just as subsequent development of cancer some time after the 9/11 attacks or adverse health outcomes from COVID that are not related to individual infection are not, and cannot, be coded on a death certificate, despite them being connected.
"The only obvious way of making assessment of impact is through the measurement of excess deaths during a particular period or geographical region and the connection/causality cannot be definitively proven in the usual way."
Speaking on background, an NHS source told The Stack that the full extent of the attack is not yet known, although it will report accordingly in line with ICO requirements when the incident is fully assessed.
An NHS spokesperson said: “NHS England has deployed a cyber incident response team, which is working round the clock to support Synnovis and provide emergency guidance, as well as coordinating with health services across the capital to minimise disruption to patient care.”
Ciaran Martin, former chief executive of the National Cyber Security Centre, attributed the attack to a Russian group called Qilin.
Speaking on Radio 4’s Today Programme, he said: “These criminal groups – there are quite a few of them – they operate freely from within Russia, they give themselves high-profile names, they’ve got websites on the so-called dark web, and this particular group has about a two-year history of attacking various organisations across the world.
“They’ve done automotive companies, they’ve attacked the Big Issue here in the UK, they’ve attacked Australian courts. They’re simply looking for money.”
Earlier this year, investigators from Group-IB infiltrated Qilin to find it specialised in targeting critical national infrastructure with ransomware written in Rust and Go languages to encrypt data on Windows, Linux, and VMware ESXi servers.
Qilin also operates a ransomware-as-a-service (RaaS) scheme which earns it a commission of 20% for attacks earning under $3 million and 15% for incidents which net more than that amount.
The gang uses phishing emails with malicious links to infiltrates networks, exfiltrating data before encrypting it. Victims that do not pay have their data published on the dark web.
“The threat actors can leverage such tactics as changing the filename extensions of encrypted files and terminating specific processes and services,” Group-IB wrote.
“The Rust variant is especially effective for ransomware attacks as, apart from its evasion-prone and hard-to-decipher qualities, it also makes it easier to customise malware to Windows, Linux, and other OS. It is important to note that the Qilin ransomware group has the ability to generate samples for both Windows and ESXi versions."
Unfortunately, business is pretty good for cybercriminals right now, who earned more than $1 billion from ransomware in 2023 - a record high.