Background
Our dark web monitoring systems flagged the trust on a Qilin leak site at 03:47 on a Tuesday morning. The entry on the leak site was partial — consistent with initial disclosure during active negotiation — which meant the organisation was currently under active pressure from the threat actor.
We identified the trust from the partial disclosure, enriched with OSINT, and made contact with the CISO's office at 05:20. The trust's own team had not yet been alerted — their internal monitoring had not flagged the leak site disclosure.
Initial Response
The CISO confirmed the incident was live. Qilin had been in the environment for an estimated 11 days, with full domain admin compromise achieved on day 3. Encryption had begun 6 hours before our call — approximately 340 endpoints were affected when we engaged.
Our IR team was working the problem within 90 minutes of first contact. Remote tooling was deployed within 2 hours. The priority was stopping the spread — Qilin's ransomware propagates via GPO abuse and was still actively encrypting at time of engagement.
Containment
Network segmentation was applied in phases to prevent further propagation without losing forensic telemetry. The domain admin accounts used by the threat actor were identified, their sessions terminated, and AD was locked down to prevent re-entry via existing access vectors.
Full containment was confirmed at hour 8. 340 endpoints were encrypted. Approximately 860 endpoints — including clinical systems — were unaffected.
Negotiations
Qilin's initial demand was £1.2m. We profiled the group's recent negotiation patterns — Qilin typically accepts 40–60% reductions for organisations that engage professionally and demonstrate financial constraint. Healthcare organisations are treated differently by some groups; Qilin has shown willingness to negotiate on humanitarian grounds in previous engagements.
Sanctions screening returned clear. Parallel recovery assessment identified that clinical systems and approximately 60% of administrative systems could be restored from clean backups. This changed the payment calculus significantly — the decryptor value was limited to the 340 encrypted endpoints, not the full estate.
Final negotiated settlement: substantially below the initial demand. Decryptor delivered and tested prior to payment. All encrypted systems recovered.
Forensics & Breach Notification
Full forensic investigation reconstructed the attack timeline. Initial access was via exploitation of an internet-facing VPN appliance with an unpatched CVE. The dwell time of 11 days included credential harvesting, lateral movement across the domain, and staged exfiltration of approximately 12GB of administrative data (no patient records confirmed in exfil scope).
ICO notification was filed within 72 hours of confirmed breach scope determination. The forensic report was accepted without challenge by both the ICO and the trust's cyber insurer.
Outcome
- Clinical operations maintained throughout — no patient harm
- Containment achieved in 8 hours from engagement
- Full recovery of all affected systems within 5 days
- ICO notification filed within 72-hour window
- Insurer claim supported with court-grade forensic documentation
- Post-incident security assessment completed — root cause CVE patched, monitoring extended to dark web for ongoing disclosure risk
"Binary Response contacted us before we knew we had a problem. That call — and the response that followed — is why this didn't become the kind of incident that ends careers."
— CISO, NHS-affiliated Trust