Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime

Hackers Claim Drug Data Theft as Reports Warn Health Sector

Pharma Maker Disputes Data Compromise Amid Reported Rise in Sector Attacks
Hackers Claim Drug Data Theft as Reports Warn Health Sector
A dark web marketplace offers for sale - for $500,000 in bitcoins - data allegedly stolen from drugmaker Novartis.

Drugmaker Novartis says no sensitive information was compromised in an alleged incident involving a hacking group that claims to have stolen company data "directly" from the laboratory environment of a manufacturing plant.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

The alleged incident involving Novartis is among the latest examples of rising cyberattacks on healthcare sector entities and comes amid warnings to the industry by federal authorities about certain threat actors.

A new report by security firm Sophos finds that 66% of healthcare organization respondents acknowledge that their organizations were hit by ransomware in 2021, up from 34% in 2020.

The 94% increase in ransomware attacks on healthcare sector entities over a one-year period "demonstrates that adversaries have become considerably more capable at executing the most significant attacks at scale," the report says.

In addition, the Department of Health and Human Services' Health Sector Cyber Coordination Center, or HC3, issued an advisory last week about the "return" of Emotet malware as an infrastructure-as-a-service offering used by cybercriminal groups as a vehicle to drop ransomware, data exfiltration and related attacks on healthcare sector entities.

Emotet first emerged around 2014 as a banking Trojan. The Emotet botnet was disrupted in early 2021 by U.S., Canada and European law enforcement agencies but began to resurface by the end of the year, HC3 says (see: Emotet Returns With New Tricks Up Its Sleeve).

Novartis Incident

Extortion group Industrial Spy on its dark web Tor marketplace last week allegedly posted for sale for $500,000 in bitcoins data it claims was stolen from Novartis, including "latest RNA and DNA-based drug technology" stolen from a laboratory environment of a company manufacturing plant, according to news site Bleeping Computer.

The data Industrial Spy claims was stolen from Novartis and posted for sale on the group's dark web marketplace includes 7.7MB of PDF files containing data related to next-generation technology used in the development of COVID-19 vaccine variants and genetic cancer therapy Kymriah, according to Bleeping Computer.

The pharmaceutical company, in a statement provided to Information Security Media Group, says: "Novartis is aware of this matter, we have thoroughly investigated it and we can confirm that no sensitive data has been compromised. We take data privacy and security very seriously and have implemented industry standard measures in response to these kind of threats to ensure the safety of our data."

Novartis declined ISMG's request for additional details about the alleged incident.

Ransomware Trends

Sophos for its study contracted with research agency Vanson Bourne to conduct an independent, vendor-neutral survey of 5,600 IT professionals, including 381 healthcare respondents, in midsized organizations with 100 to 5,000 employees across 31 countries.

The survey, which was conducted during January and February 2022, found that when compared to all sectors surveyed, the rate of ransomware hits on healthcare was at par with the global average of 66%.

The study defined being hit by ransomware as having one or more devices affected by an attack but not necessarily encrypted.

The survey also found that healthcare had the highest increase in the volume of cyberattacks - 69% - as well as the complexity of cyberattacks - 67%, compared to the cross-sector average of 57% and 59%, respectively. In terms of the impact of these cyberattacks, healthcare was the second-most-affected sector - at 59% - compared to the global average of 53%, the report says.

Healthcare was also the sector most likely to pay a ransom. But the average ransom - $197,000 - was the lowest among all sectors, according to the Sophos study.

In terms of data encryption rates in ransomware attacks, healthcare had a 61% encryption rate, lower than the global average of 65%, indicating that healthcare fared slightly better in being able to stop data encryption in an attack, according to the Sophos survey.

Meanwhile, the percentage of healthcare sector victims who experienced extortion-only attacks, in which data was not encrypted but the organization was held to ransom with the threat of exposing data, fell to 4% of ransomware attacks in 2022, from 7% in 2020, the study says.

"One reason for this good showing could be that more healthcare organizations are now opting for cyber insurance, which demands higher cybersecurity defense enhancements," the report says.

Chet Wisniewski, principal research scientist at Sophos, predicts, that given the increase in the ransomware-as-a-service model embraced by cybercriminals, combined with the "rich" personally identifiable information held by the healthcare sector, there will continue to be a high focus target for ransomware actors in the coming year.

"We’ve seen that adversaries have few scruples when it comes to who they target, and healthcare should expect to be targeted," he says.

Emotet Warning

Meanwhile, HHS HC3 in its Emotet warning says that almost 80% of the malware affecting computer systems in the healthcare industry is Trojans, and the most common of them is Emotet, according to researchers at security firm Malwarebytes.

Healthcare remains one of the top industries targeted by Emotet, which is often delivered via phishing but also by known vulnerabilities and brute force attacks, HC3 says.

Those incidents are often used to drop additional malware - such as Azorult, TrickBot, IcedID or Qbot - or ransomware, such as Ryuk and Bitpaymer, the advisory says.

"Emotet and TrickBot are two groups who very often work together in major cyberattack campaigns," HC3 says.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.