Hackers Publish ExecuPharm Data They Stole In Ransomware Attack

ExecuPharm, a subsidiary of US biopharmaceutical giant Parexel, has suffered a ransomware attack that has escalated into a data breach, according to a recent announcement from the company.

A provider of pharmaceutical clinical research support services, ExecuPharm has been hit by the CLOP ransomware threat, the company stated in a letter to the Office of The Vermont Attorney General. The attack happened on March 13, 2020, and "compromised select corporate and personal information."

"As part of this incident, ExecuPharm employees received phishing emails from the unknown individuals. Upon a thorough investigation, ExecuPharm determined that the individuals behind the encryption and the sending of these emails may have accessed and/or shared select personal information relating to ExecuPharm personnel, as well as personal information relating to select personnel of Parexel, whose information was stored on ExecuPharm's data network," the company's notice read.

Even though the attack happened last month, ExecuPharm started notifying its employees and the authorities of the data breach only after the stolen information was posted on a dark web site that has previously been associated with the CLOP ransomware group.

Stealing important files before encrypting them was first used by the Maze group, but was quickly adopted by many others, including the operators of Sodinokibi, LockBit, and DoppelPaymer, to name a few.

The ExecuPharma leak was significant in scale and contained a variety of information, including financial and accounting records, social security numbers, bank account, and credit card numbers, passport and driver's license numbers, IBAN/SWIFT numbers, national insurance numbers, national ID numbers, taxpayer ID/EIN, and thousands of internal emails.

The company says that, in response to the incident, it has managed to recover the impacted servers from backups, notified law enforcement, forced password resets, and introduced a number of new protective measures, including multi-factor authentication and identity monitoring services.

The operators of the CLOP ransomware are one of the groups that pledged to not attack hospitals, charities, and nursing homes during the COVID-19 pandemic. The cybercriminal gang, however, has stated that commercial pharmaceutical companies like ExecuPharm would not be spared, as they "are the only ones who benefit from the current pandemic."

ExecuPharm's incident is just proof that the evolving tactics of ransomware operators can place more pressure even on companies that have backed up their sensitive data and refuse to pay the ransom. The threat of publishing such information can be used as leverage by the attackers, against anyone who doesn't want to pay up, or manages to recover the encrypted data without their "help."