- Employees of ExecuPharm have been compromised by ransomware actors who stole their data.
- The information includes PII as well as financial details, so the company covered the cost of an identity protection service.
- The actors behind the attack are the CLOP ransomware group, who are using a strain that is yet to be unlocked.
ExecuPharm, a subsidiary of the American pharmaceuticals giant “Parexel,” has announced a security incident involving data-stealing ransomware. The company experienced the compromise on March 13, 2020, when a ransomware attack encrypted a subset of their systems. At the same time, the actors managed to steal files from the firm’s servers and began the extortion process. Most of the information that was accessed and stolen concerns the personnel of ExecuPharm and Parexel, and it involves highly sensitive, personally identifiable, as well as financial data.
More specifically, the actors managed to steal employee names, social security numbers, taxpayer IDs, driver’s license numbers, passport numbers, bank account numbers, credit card numbers, national insurance numbers, national ID numbers, IBAN/SWIFT numbers, and whatever beneficiary information corresponded to each employee. The compromise is severe, and ExecuPharm notified the law enforcement authorities in the United States immediately. Moreover, they have contracted a cybersecurity expert to help them investigate the nature and scope of the incident, and they are currently in the process of informing the affected individuals.
As every employee file is different, everyone is now urged to contact ExecuPharm by sending an email to “email@example.com” or call “1-800-819-0974,” where the company’s agents give details regarding what information was exposed. In the notifications, there are details on how to join the identity monitoring program until July 31, 2020. The pharma company has also covered an identity fraud loss reimbursement of $1 million, covering legal costs and relevant expenses in the unfortunate event.
Although the company has already restored its servers to a fully operational state thanks to having backups, the problem of the exfiltrated files remains. This proves once more that having a backup strategy isn’t enough to protect you from the consequences of a ransomware infection anymore. This trend was started by Maze, with DoppelPaymer and Sodinokibi following the same approach shortly after. This incident, however, was the work of the CLOP ransomware group, as ExecuPharm’s chief of operations David Granese told TechCrunch.
Portions of the stolen data are already leaking on the dark web, so the pressure is on the pharmaceutical company to pay the undisclosed amount of ransoms. CLOP reportedly stated that even though their attacks exclude hospitals, nursing homes, and charities during the COVID-19 pandemic, they still targeted this company because ExecuPharm is one of the few entities that benefit from the current situation.