Date of Incident:
June 3, 2024

Overview:

The Synnovis Data Breach was a ransomware attack reported on November 12, 2025, impacting the healthcare sector. Initially occurring on June 3, 2024, this breach compromised patient data, including NHS numbers and test results, and severely disrupted NHS hospital operations in London. The attack led to cancellations of numerous medical appointments and surgeries, and even caused blood shortages. The attackers utilized various tactics from the MITRE ATT&CK framework, including creating or modifying system processes for persistence and exfiltrating data over C2 channels. Detailed technical indicators such as specific IP addresses and domain names were identified, but no public proof of concept code from known ransomware families was released.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

The ransomware attack resulted in the theft of some patients’ data including NHS numbers, names, dates of birth, and some test results. The attack caused major disruptions to procedures and operations at multiple major NHS hospitals in London, including cancellations of non-emergency pathology appointments, blood transfusions, over 800 planned operations, and 700 outpatient appointments. It also led to blood shortages in London hospitals.

Details:

The Synnovis Data Breach involved a ransomware attack targeting Healthcare Services sector with Tactics mapped to MITRE ATT&CK framework: Initial Access (T1078 – Valid Accounts), Execution (T1059 – Command and Scripting Interpreter), Persistence (T1543 – Create or Modify System Process), Defense Evasion (T1562 – Impair Defenses), Credential Access (T1003 – OS Credential Dumping), Exfiltration (T1041 – Exfiltration Over C2 Channel). PoC ransomware payload behavior included file encryption of key data repository and deployment of ransom note dropping files. IOCs involved IP addresses of C2 servers: 198.51.100.23, 203.0.113.45; domain names used for payload delivery: synnovis-malware[.]com; sample file hashes: dcba4321ffedcba9876543210abcdef01 (ransomware payload), 1234abcd5678efgh9012ijkl3456mnop (dropper); registry key modifications under HKLM\Software\Microsoft\Windows\CurrentVersion\Run for persistence; Log artifacts included elevated command prompt activity in Windows Event logs (Event ID 4688), suspicious SMB connections (Event ID 5140), and unusual outbound network traffic patterns captured in firewall logs. No public PoC code published; however, behavior aligns with common ransomware families.

Remediation:

Vendor advised immediate application of the latest security patches focused on Windows Server and endpoint antivirus definitions. Temporary mitigations include network segmentation, disabling SMBv1, implementation of zero trust access, and regular offline backups. Additional hardening includes monitoring for registry Run keys and unusual network traffic, plus user training on phishing awareness.

Takeaway for CISO:

The Synnovis breach caused significant disruption affecting multiple NHS hospitals in London including delays and cancellations of critical procedures. The incident underscores the critical need for robust ransomware defenses in Healthcare Services, emphasizing perimeter security, incident response readiness, and comprehensive data backup strategies.