London Hospital Ransomware Legacy, Operation PowerOFF and RedSun Zero‑Day, London 2026

Key points

• London hospitals are still reeling from a June 2024 ransomware strike by the Qilin ransomware group, with at least one NHS trust reported to be operating without fully restored systems more than 18 months on.
• Internal documents cited by CISO Series show that affected trusts are managing large backlogs of delayed pathology test results, constrained blood supplies, and the theft and potential publication of sensitive patient data.
• The breach originated with the Synnovis pathology‑testing laboratory, which services several major London hospitals, including Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital.
• Security analysts, including those cited in CloudDefense‑AI and CISO Series coverage, say the attack exploited a known or possibly zero‑day‑class vulnerability, highlighting longstanding weaknesses in outsourced health‑IT infrastructure.
• On the law‑enforcement front, Operation PowerOFF, led by Europol and involving 21 countries, has seized 53 DDoS‑for‑hire “booter” domains and disrupted roughly 75,000 users, exposing more than 3 million criminal accounts.
• As reported by reporters for The Hacker News and CyberPress, the action targeted the backend infrastructure and payment systems of widely used “booter” platforms, arresting four operators and executing 25 search warrants.
• Separately, Microsoft has disclosed what CISO Series and other cybersecurity outlets describe as a “RedSun”‑branded zero‑day win‑binary vulnerability in parts of Microsoft Defender, allowing attackers to bypass detection under certain conditions.
• Security vendors and Microsoft customers have been urged to update Defender components and harden endpoint‑protection policies, amid warnings that the flaw could be chained with other access methods to escalate ransomware or espionage campaigns.

London – Synnovis / NHS London (The Londoner News) April 20, 2026 — More than a year after a ransomware gang crippled a key London pathology‑testing laboratory, hospitals in the capital are still struggling with incomplete systems, delayed test results, and fragile blood‑supply chains, according to internal documents quoted by David Spark and other contributors on CISO Series.

The incident unfolded in June 2024 when the Qilin ransomware group, operating under various aliases, hit Synnovis, an outsourced pathology provider that supports several major acute‑care trusts in London, including Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital. Those links mean that disruptions to Synnovis’ IT systems cascaded into wards, emergency departments, and outpatient clinics, forcing staff to revert to manual processes and paper‑based workflows in many areas.

CISO Series reports that internal NHS documentation indicates at least one trust is still running without fully restored systems and is managing a backlog of delayed test results, restricted blood products, and postponed treatment pathways for highly time‑sensitive conditions such as cancer.

“Internal documents show that at least one National Health Service trust is still working without fully restored systems and managing large backlogs of delayed test results, restricted blood supplies, the theft and publication of sensitive patient data, and delayed treatment of highly time‑sensitive conditions like cancer.”

Spark summarised on the CISO Series cybersecurity news briefing.

How the London hospital ransomware attack unfolded

The attack chain began, according to a threat‑intelligence write‑up cited by CloudDefense‑AI, with a vulnerability in Synnovis’ network or partner‑facing systems that allowed attackers to deploy ransomware and encrypt storage clusters. The group then exfiltrated roughly 400 gigabytes of data, including patient records and internal operational information, before partially or fully disabling laboratory information management systems.

Security commentators on CISO Series and LinkedIn‑style summaries note that the incident underscored the risks of relying on a single, outsourced pathology provider for a large cluster of London hospitals. “Over 1,100 operations were rescheduled, 2,000 outpatient appointments affected, and 400 GB of data stolen, causing significant disruption and exposing sensitive patient and business information,” CloudDefense‑AI’s analysis of the Synnovis breach states.

What data was exposed, and what patients faced

The data‑exfiltration component, as outlined in security‑briefing material, involved a mix of clinical pathology reports, staff‑directory information, and internal communications. Some patient records reportedly contained identifiers and test histories, although the exact number of individuals affected has not been uniformly disclosed across all reporting.

CISO Series coverage emphasises that the prolonged impact includes not only logistical chaos but also clinical risk: delayed diagnosis of conditions such as blood cancers and heart‑related disorders, and tighter constraints on blood‑bank availability for emergency and surgical use. Analysts quoted by the outlet warn that the “legacy” of the 2024 ransomware strike is visible in continued manual workarounds, slower test turnaround times, and extra administrative burdens on already‑stretched NHS staff.

Why were London hospitals so vulnerable?

Cyber‑risk firms and security analysts have repeatedly pointed to older infrastructure, patch‑management gaps, and “known‑but‑unremediated” vulnerabilities in outsourced health‑IT environments as contributors. As noted in a CloudDefense‑AI breach‑analysis piece, Synnovis’ security measures were reportedly criticised internally by London hospitals even before the 2024 attack, with concerns raised about inadequate data‑security standards and undigested audit‑team recommendations.

“Security measures failed due to a known vulnerability, possibly via a zero‑day exploit, and inadequate data security standards that had been flagged by London hospitals in internal conversations,”

the firm writes. That same line of analysis is echoed in CISO Series commentary, which frames the Synnovis incident as emblematic of systemic weaknesses when critical health‑care functions are outsourced without commensurate resilience and incident‑response planning.

What is Operation PowerOFF, and who was arrested?

Law‑enforcement agencies across 21 countries have announced a coordinated disruption of global “DDoS‑for‑hire” services under Operation PowerOFF, seizing 53 domain names and infrastructure clusters and exposing more than 3 million user accounts. The operation was described by Europol‑backed outlets as one of the largest ever actions against the underground “booter” ecosystem, which lets even low‑skilled users launch volumetric attacks against websites and online services.

How did law enforcement dismantle the DDoS‑for‑hire services?

Investigators, as detailed in coverage by The Hacker News and CyberPress, took down front‑end “booter” portals and underlying backend servers, databases, and payment‑processing nodes. In parallel, they gained access to databases containing more than 3 million criminal‑user accounts, many of which were linked to recurring DDoS attacks on corporate, government, and educational networks.

According to The Hacker News, at least four individuals have been arrested in connection with the takedown, with 25 search warrants executed across multiple jurisdictions. CyberPress’s reporting similarly notes that the operation disrupted roughly 75,000 active users who had paid for or used DDoS‑for‑hire platforms, while authorities prepare to send warning notices to many of the identified account holders.

How will PowerOFF impact cybercrime in the long term?

Experts cited by The Hacker News and CyberPress describe Operation PowerOFF as a “significant disruption” to the automated DDoS‑economy but caution that other “booter” platforms will likely emerge to fill the void. “The ongoing effort, dubbed Operation PowerOFF, disrupted access to the DDoS‑for‑hire services, took down the technical infrastructure supporting them, and obtained access to databases containing over three million criminal user accounts,” CyberPress writes, summarising Europol’s overall posture.

Analysts quoted in the same outlets argue that the operation may push attackers toward more sophisticated, custom‑built botnets or rented bot‑rental services, rather than mass‑market “booter” sites. They also suggest that legitimate web and cloud providers will need to tighten abuse‑report handling and payment‑monitoring protocols to limit the profitability of similar platforms in the future.

What is the Microsoft Defender “RedSun” zero‑day vulnerability?

In parallel to the London hospital‑ransomware legacy and the PowerOFF takedowns, Microsoft has disclosed a previously unpatched vulnerability in parts of Microsoft Defender, which cybersecurity outlets, including CISO Series, describe under the informal label “RedSun.” The flaw, a win‑binary vulnerability in certain Defender components, could allow a sufficiently privileged attacker to bypass signature‑based detection or escalate privileges under specific conditions.

How does the “RedSun” flaw work?

According to the technical‑briefing elements recapped on CISO Series, the RedSun vulnerability arises from improper validation of binary images or memory structures handled by Defender’s real‑time‑protection engine, which can be triggered by crafted executables or maliciously signed binaries in rare scenarios. This could, in theory, enable an adversary who already has a foothold on a device to disable or evade Defender components, or to chain the flaw with other exploits to maintain persistence.

Microsoft has released Defender updates and configuration‑hardening recommendations aimed at mitigating the risk, including guidance to ensure Defender is running the latest engine versions and to treat unsigned binaries as higher‑risk. Security researchers summarising the issue note that while the vulnerability is not remotely exploitable from the internet in isolation, it becomes more dangerous in the context of ransomware or advanced persistent threat campaigns that begin with phishing or compromised credentials.

How does “RedSun” relate to the London hospital ransomware?

CISO Series and associated commentators have not identified a direct link between the RedSun vulnerability and the specific 2024 Synnovis attack, but they do frame both incidents as part of a broader pattern: that legacy‑ and third‑party‑managed environments are increasingly targeted with mixed‑technique campaigns blending known‑vulnerability exploitation, ransomware deployment, and stealth‑evasion tactics.

In this light, analysts emphasise that the Microsoft Defender advisory should prompt organisations, including NHS trusts and their suppliers, to audit endpoint‑protection configurations, review update‑and‑patching policies, and ensure that logging and monitoring for Defender‑related anomalies are in place.

What does this mean for the future of cyber‑resilience in London hospitals?

Security commentators and threat‑intelligence briefings repeatedly stress that the London‑hospital ransomware episode, the ongoing fallout for affected trusts, and the wider disruptions delivered by Operation PowerOFF all point toward a need for more robust, segmented, and resilient health‑IT ecosystems.

The Hacker News and CyberPress both observe that the PowerOFF takedown, while not a complete cure, demonstrates that international law‑enforcement cooperation can meaningfully disrupt the commoditised cybercrime infrastructure that supports many large‑scale attacks. At the same time, security briefings on the Synnovis breach and RedSun‑style vulnerabilities underline that technical fixes and takedowns must be combined with organisational governance changes, including stronger outsourcing risk controls and real‑time incident‑response planning for outsourced health‑care providers.

As the London‑hospital ransomware legacy continues to echo through NHS operations, regulators, clinicians and security teams alike are being urged to treat the 2024 attack not as an isolated event but as a warning sign in an era where cyber‑resilience is as critical as clinical care.