Stolen ExecuPharm data published by hackers on a Dark Web site

Hacker group CLOP recently published vast troves of information on the Dark Web that it stole from U.S. pharmaceutical giant ExecuPharm via a ransomware attack.

Recently, ExecuPharm informed the Attorney General's office in Vermont that it suffered a ransomware attack on 13th March that resulted in hackers accessing vast troves of personal data such as social security numbers, driver licenses, financial information, passport numbers, and other sensitive details.

Headquartered in Pennsylvania, ExecuPharm is one of the largest outsourcing service providers in the U.S., providing clinical research support services for the pharmaceutical industry. The firm specializes in offering a full spectrum of outsourcing solutions for disciplines such as clinical, data management, safety, regulatory and medical affairs. It has more than five thousand employees and is presently running over 1,400 projects for pharma companies.

In the letter sent to the Attorney General's office on 17th April, ExecuPharm said that hackers behind the cyber attack "sought a ransom in exchange for decryption" after infiltrating its servers using phishing emails sent to the firm's employees.

"We believe the individuals behind this data security incident may have accessed employee files. As a result, the information that may have been involved includes: social security numbers, taxpayer ID/EIN, driver's license numbers, passport numbers, bank account numbers, credit card numbers, national insurance numbers, national ID numbers, IBAN/SWIFT numbers, and beneficiary information," the firm said.

"ExecuPharm internal teams worked diligently with forensic consultants to rebuild the impacted servers from back up servers and have now fully restored and secured the ExecuPharm systems. This included the installation of forensic tools on all systems and the isolation of impacted systems until ExecuPharm could confirm that they were secure.

"ExecuPharm also implemented additional countermeasures to block further ransomware emails from entering the ExecuPharm environment. ExecuPharm also upgraded its security measures to prevent future attacks, including forced password resets, multi-factor authentication for remote access, and endpoint protection, detection, and response tools," it added.

CLOP ransomware group published ExecuPharm data on the Dark Web

According to TechCrunch, an ExecuPharm executive confirmed that the CLOP ransomware group was behind the cyber attack on the firm's systems in March. It further revealed that the ransomware group had, in fact, published data stolen from the firm on a Dark Web site, possibly after the firm failed to pay a ransom.

TechCrunch found that the Dark Web site "contains a vast cache of data, including thousands of emails, financial and accounting records, user documents and database backups, stolen from ExecuPharm’s systems."

Commenting on the ransomware attack targeting ExecuPharm, Chris DeRamus, CTO of DivvyCloud, told TEISS that there are no known decryption tools for CLOP ransomware, making this incident particularly concerning, and further demonstrates the need for organisations to implement a more proactive approach to security and compliance practices.

"Healthcare and pharmaceuticals organisations are ranked as one of the top targets for cyber attacks, as they house massive troves of personally identifiable information (PII) on their patients and customers. This data includes Social Security numbers, full names and addresses, financial information, driver licenses, birth dates, and more, which hackers leverage to commit a number of scams.

"To protect customer data, enterprises need to follow the principle of least-privileged access in provisioning identity access management (IAM) permissions, by providing checks to restrict identities to do no more than they are supposed to, across their systems. Organizations should also implement MFA for all users, securely manage service accounts and their corresponding keys, and enforce best practices for the use of audit logs and cloud logging roles," he added.

ALSO READ: Interpol warns hospitals against crippling ransomware attacks

MORE ABOUT: