A major US pharmaceutical firm has revealed that ransomware attackers recently encrypted its servers and stole corporate and employee data.
ExecuPharm explained in a breach notification to the Office of the Vermont Attorney General that the incident occurred on March 13, when “unknown individuals” deployed ransomware to its IT systems and sought payment in return for a decryption key.
“As part of this incident, ExecuPharm employees received phishing emails from the unknown individuals,” it said.
“Upon a thorough investigation, ExecuPharm determined that the individuals behind the encryption and the sending of these emails may have accessed and/or shared select personal information relating to ExecuPharm personnel, as well as personal information relating to Parexel personnel, whose information was stored on ExecuPharm’s data network.”
Parexel is the Massachusetts-headquartered parent company of ExecuPharm.
The firm claimed that information stolen included: social security numbers, taxpayer IDs, driver’s license numbers, passport numbers, bank account details, credit card numbers, NI numbers and beneficiary information.
That represents a major haul for any data theft and one which could be sold on the dark web and/or, as has been reported, published online in an attempt to persuade the firm to pay the original ransom.
Matt Walmsley, EMEA director at Vectra, warned that there’s no publicly available decryption methods for the ransomware used in this attack, and that pharma companies rich with sensitive R&D represent a highly lucrative target for cyber-criminals.
“Attackers tend to target privileged entities associated with accounts, hosts and services due to the unrestricted access they can provide and to ease replication and propagation. Attackers will manoeuver themselves through a network and make that step from a regular user account, to a privileged account which can give them access to all the data they need in order to finalize their ransomware attack and bribe their victims,” he explained.
“Therefore, security teams need to be agile as time is their most precious resource in dealing with ransomware attacks. Early detection and response are key to gaining back control and stopping the attackers in their tracks before they can propagate across the organization, stealing and denying access to data.”