The NHS has declared a 'critical incident' this week as a cyber attack cancels operations and blood tests across London hospitals.
On Monday, the NHS revealed that Synnovis, a provider of lab services, had been hit by a ransomware attack which shut down key services.
This has lead to widespread disruption as affected hospitals have been forced to cancel or outsource operationsand blood tests.
MailOnline has spoken with cybersecurity experts to show how hackers exploit simple flaws in systems to seize control of vital data.
These experts reveal how a network of specialist brokers and ransomware gangs work together to exploit our health services for profit.
NHS England declared a critical incident as a lab services provider partnered with several London hospitals including King's College Hospital (pictured) had been the victim of a cyber attack
Patrick Burgess, cybersecurity expert at BCS, The Chartered Institute for IT, told MailOnline that a cyber attack is generally defined as 'malicious or unauthorised access to a digital system'.
'So much of our lives is now supported by computer networks, laptops and phones; any of these things could, in theory, be subject to a cyber attack,' Mr Burgess explains.
While these attacks can take different forms, NHS England revealed that Synnovis had been the victim of a 'ransomware' cyber attack.
During this kind of attack, a hacker gains access to a company's computer system and locks down the system from within in order to extort a ransom.
To do this, criminal groups called ransomware gangs will first identify companies whose systems are already vulnerable to attack.
In some cases, they might employ specialist criminal groups called 'access brokers' who act as facilitators for their attacks.
Synnovis (pictured) provides pathology services for the NHS. Without its services, several trusts have been unable to provide blood transfusions or test results
These groups spend their whole time looking for ways into systems and trying to find compromised passwords to sell for profit rather than making the attack themselves.
A ransomware gang can then buy any credentials that seem profitable from the 'dark web' and use these to implant malicious software ('malware') into the company's system.
In other cases, ransomware gangs themselves will send out millions of automated phishing emails to huge lists of companies.
These emails might contain links or downloads which install a virus onto the victim's computer, from which it can spread to infect the entire system.
Once that virus has been implanted on a single device, it gives hackers a foothold from which they can slowly spread to take over the entire network.
Ross Brewer, vice president of cybersecurity firm Graylog, told MailOnline that hackers use a 'low and slow' approach to take over key systems.
He says: 'They don't want to be caught so they typically work slowly over a period of days, weeks, or months before they pull all the plugs.'
At hospitals such as St Thomas' (pictured) operations have been cancelled or moved to other providers
According to data collected by Mandiant, the average time between first infection and takeover was 10 days in 2023.
But once the criminals have everything in place they will then exploit tools within the computer network to take control and lock legitimate users out.
Usually, Mr Brewer explains, this is done by encrypting the company's data so that employees can no longer read it.
Because these are the same kind of encryption that companies use to keep information safe, they can't decode their data without the 'key' held by the ransomware gang.
Experts say that hackers used simple flaws to install malware which encrypted key parts of Synnovis' data, meaning that the company is unable to provide their services (file photo)
In the case of healthcare providers like Synnovis, this triggers delays because the malware locks employees out of critical information.
The NHS says it has had to cancel blood transfusions and patient operations due to the hack.
Cybersecurity consultant James Bore told MailOnline: 'What will be happening is that there's going to be a database system involved which will have been introduced to speed up blood test results.
'Now, if that database is encrypted [by the hackers], you suddenly have to fall back on paper notes.'
In a statement released yesterday, NHS England confirmed that the hack was having 'a significant impact on the delivery of services'.
Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts as well as primary care services in south east London have all been hit with delays.
Already some procedures have been cancelled or transfered to other providers as hospitals partnered with Synnovis lose access to blood transfusion and test services.
Until Synnovis either pays the ransom or restores the data from a backup it is likely that delays and disruption will persist
How do ransomware attacks happen?
Ransomware attacks use computer viruses to encrypt a company's data, charging a ransom for the key to unlock it.
First ransomware gangs look for a victim either using phishing emails or buying passwords from an access broker.
Once they have access hackers will insert malware onto an employee's computer.
This malware slowly spreads through the network over about 10 days.
When the hackers are ready they encrypt the most critical data and shut employees out of the system.
The company will now need to pay the ransom or restore their data from a backup.
<!- - ad: https://mads.dailymail.co.uk/v8/gb/sciencetech/none/article/other/mpu_factbox.html?id=mpu_factbox_1 - ->
Advertisem*nt
To get services back online Synnovis will either need to pay the ransom or restore its data from an earlier backup.
The NHS and the National Cyber Security Centre do not pay ransoms as a general rule, and even if they did there is no guarantee of getting their data back.
Mr Bore says: 'There are no guarantees; you're dealing with a criminal organisation who has proven that they are perfectly happy to break the law.'
In some cases, the cybercriminals behind the attack may simply refuse to decrypt the data or they may use a technique called 'double extortion'.
Criminals may not only encrypt the data but also steal a copy and threaten to publish it online if the victim does not pay.
This means that Synnovis will likely have to restore their databases from an earlier backup – a time-consuming and difficult process that can take between days and weeks.
Experts told MailOnline that attacks like this are usually not highly targeted and Synnovis is more likely to have been hit as part of a 'crime of opportunity'.
However, while the initial contact may have been bad luck, Synnovis' importance may have made criminals more eager to pursue their attack.
My Bore says: 'It's notable that the company who were impacted, just a few months ago, were happily declaring that they've managed to centralise the pathology services of multiple different hospitals.'
It isn't clear whether Synnovis had been deliberately targeted. NHS lab work is a critical service which makes it primed for extortion but the majority of ransomware attacks are opportunistic (file photo)
This might have made Synnovis a tempting target for criminals hoping that bigger potential disruption could led to a bigger ransom.
Ciaran Martin, former chief executive of the National Cyber Security Centre, has suggested that the group behind the attack could be a threat actor known as Conti.
Although the evidence is still emerging, it is believed that Conti could be behind the Black Basta malware group used in this attack and many others.
Joanne Coy, senior cyber threat intelligence analyst at Bridewell, told MailOnline: 'Black Basta have a clear history in targeting the healthcare sector – indeed, they have accelerated their attacks against this sector in 2024.'
Ms Coy adds: 'The group behind the attack on Synnovis are known for using highly targeted phishing emails to gain initial access so it is possible that this is how Synnovis has been compromised.'
