The Clop ransomware group attacked biopharmaceutical company ExecuPharm and reportedly leaked some of the company’s compromised data on underground forums.
ExecuPharm, a Pennsylvania-based subsidiary of the U.S. biopharmaceutical giant Parexel, provides clinical trial management tools for biopharmaceutical companies. According to a recent data breach notice, various ExecuPharm servers were hit in a ransomware attack on March 13, which compromised “select corporate and personnel information.” The attack was initiated through phishing emails that were sent to ExecuPharm employees.
“ExecuPharm has notified federal and local law enforcement authorities in the United States and retained leading third party cybersecurity firms to investigate the nature and scope of the incident,” according to the data breach alert, which was sent to the Office of the Vermont Attorney General. “ExecuPharm is also in the process of notifying the relevant authorities as required.”
Compromised data includes ExecuPharm employee social security numbers, taxpayer IDs, driver’s license numbers, passport numbers, bank account numbers, credit card numbers, national insurance numbers, national ID numbers and more. Also affected are “select personnel” of parent company Parexel, whose data was stored on ExecuPharm’s data network. ExecuPharm has about 5,000 employees, according to its website.
A TechCrunch report pointed to the ransomware group behind the attack, Clop, recently leaking some of the compromised company data. This tactic, called “double extortion,” occurs when ransomware groups threaten to leak compromised data or use it in future spam attacks, if ransom demands aren’t met. The data that has so far been published on a cybercriminal website associated with Clop has contained thousands of emails, financial and accounting records, database backups and more.
https://twitter.com/underthebreach/status/1254382668835434496
“Unfortunately for ExecuPharm, the attackers have started releasing personal data on employees which includes some very sensitive data that could be used to steal identities or cause financial fraud,” Joseph Carson, chief security scientist and Advisory CISO at Thycotic, told Threatpost. “At this time, it is not known which approach ExecuPharm will take, how many of their services are unavailable or whether they have a planned and tested incident response plan. Companies need to change their approach to ransomware rather than trying to recover after an incident, especially during these chaotic times with many employees working remotely, leaving more companies at risk.”
Double extortion is a tactic that’s being used more and more by ransomware groups, including the Maze,DoppelPaymer and Sodinokibi ransomware families.
In a November, for instance, the Maze ransomware group attacked Allied Universal, a large American security staffing company. The attackers threatened to use sensitive information extracted from Allied Universal’s systems, after the company refused to cough up the 300 Bitcoin ($2.3 million) ransom.
In a more recent double extortion attack, the DoppelPaymer ransomware operators claimed to have hit a Los Angeles county with a ransomware attack – and were leaking the city’s data online, according to a recent report.
Impacted employees will receive a year of free identity monitoring and $1 million going toward identity fraud loss reimbursement.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.