[BreachExchange] Hackers publish ExecuPharm internal data after ransomware attack

Destry Winant destry at riskbasedsecurity.com
Wed Apr 29 10:13:29 EDT 2020


https://techcrunch.com/2020/04/27/execupharm-clop-ransomware/

U.S. pharmaceutical giant ExecuPharm has become the latest victim of
data-stealing ransomware.

ExecuPharm said in a letter to the Vermont attorney general’s office
that it was hit by a ransomware attack on March 13, and warned that
Social Security numbers, financial information, driver licenses,
passport numbers and other sensitive data may have been accessed.

But TechCrunch has now learned that the ransomware group behind the
attack has published the data stolen from the company’s servers.

It’s an increasingly popular tactic used by ransomware groups, which
not only encrypts a victim’s files but also exfiltrates the data and
threatens to publish the data if a ransom isn’t paid. This new
technique was first used by Maze, a ransomware group that first
started hitting targets in December. Since then, a number of new and
emerging groups, including DoppelPaymer and Sodinokibi have adopted
the same approach.

The data was posted to a site on the dark web associated with the CLOP
ransomware group. The site contains a vast cache of data, including
thousands of emails, financial and accounting records, user documents
and database backups, stolen from ExecuPharm’s systems.

When reached, a company executive confirmed to TechCrunch that CLOP
was behind the attack.

“ExecuPharm immediately launched an investigation, alerted federal and
local law enforcement authorities, retained leading cybersecurity
firms to investigate the nature and scope of the incident, and
notified all potentially impacted parties,” said ExecuPharm operations
chief David Granese.

Since the outbreak of COVID-19, some of the ransomware groups have
shown mercy on medical facilities that they have pledged not to attack
during the pandemic. CLOP said it too would not attack hospitals,
nursing homes or charities, but said ExecuPharm would not qualify,
saying that commercial pharmaceutical companies “are the only ones who
benefit from the current pandemic.”

Unlike some strains of ransomware, there is no known decryption tool
for CLOP. Maastricht University found out the hard way after it was
attacked last year. The Dutch university paid out close to $220,000
worth of cryptocurrency to decrypt its hundreds of servers.

The FBI has previously warned against paying the ransom.


More information about the BreachExchange mailing list