Ransomware today remains one of the most deadly weapons employed by hackers causing widespread damage to all sorts of business and unsuspecting users. Since it also brings in a good payday, it is naturally a common vector employed today.

Even though certain ransomware groups have promised to not attack medical facilities amidst the pandemic, pharmaceuticals still remain an open territory due to their assumed profiteering from such situations.

See: Police lose evidence to Ryuk ransomware attack; suspects walk free

One such example is of March 13 when ExecuPharm, a US-based pharmaceutical company was infected with ransomware via a phishing attack. Then on 17 April, the company notified Vermont’s attorney general’s office through a letter on the details of the attack and the fact that it had also informed both federal and local law enforcement agencies along with hiring cybersecurity firms for investigating.

Furthermore, it stated that employee files may have been compromised which included social security numbers, driver’s license numbers, national insurance numbers, passport numbers, bank account numbers, and additional confidential information.

However, recently, it has been learned that this data has been published to a dark web site that is linked to a ransomware group named CLOP. The group has a reputable history of engaging in such attacks and has infected notable companies in the past like INA Group.

Moreover, since no decryption tool is currently available for its malware strain, institutions like the Maastricht University have been forced to make hefty payments in the past for the decryption of their data.

Currently, the data published includes the following records numbering in the thousands:

  • Emails
  • User documents
  • Financial & accounting records
  • Backups of databases

These can be used not only to engage in future phishing campaigns but also to target ExecuPharm’s users placing them at risk. Moreover, with the trend of these hacking groups creating their own sites on the dark web for leaking such data, it is likely that the data is available on the group’s own site called “CL0P^_- LEAKS”.

In a conversation with Hackread.com, Anurag Kahol, CTO at Bitglass said that,

“Encrypting a victim’s files and exfiltrating the data to publish if the ransom isn’t paid is a growing tactic among ransomware groups, making it more critical for companies to have adequate security tools and controls in place to protect their data.”

See: How to decrypt your data from Hakbit & Jigsaw ransomware for free

“The exposure of sensitive data puts the impacted individuals at risk for identity theft and financial fraud for years to come. Consequently, the pharma giant may face costly penalties for violating compliance regulations such as CCPA,” Anurag warned.

Anurag suggested that to prevent future ransomware attacks and safeguard highly sensitive information, organizations must have full visibility and control over their data.

“This can be accomplished by leveraging multi-faceted solutions that defend against malware on any endpoint, enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage.”

“Additionally, companies must ensure adequate employee training to protect from ransomware. Employees must be able to identify phishing attempts and illegitimate emails, as phishing is the primary vector for ransomware attacks,” Anurag suggested.

To conclude, due to the lack of details released by the company as of yet, we cannot fully comment on the consequences. However, the company may come under fire for not taking reasonable precautions to secure their systems which ultimately led to this.

For the future, organizations should learn from such incidents and pre-emptively employ cybersecurity agencies to find breach points in their networks before attackers do. Such an approach would significantly reduce the number of successful attacks safeguarding data.

Leave a Comment