Fraud Management & Cybercrime , Healthcare , Industry Specific
Suspected Attack Shuts Down US Blood Plasma Donation Centers
Swiss-Based Octapharma Plasma Says Co. is Dealing with 'Network Issues'The U.S. operations of a Swiss pharmaceutical maker has shut down nearly 200 blood plasma donation centers while the company responds to "network issues" that started earlier this week and have reportedly been caused by a suspected Blacksuit ransomware gang attack.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
Octapharma Plasma in an "important announcement" posted in a banner on its website says all its donation centers "are experiencing network issues and are currently closed." The global, Lachen, Switzerland-based company operates more than 190 U.S. blood plasma donation centers in 35 states.
Those donation centers collect, test and supply plasma to Octapharm Plasma AG's European operations "for manufacture into life-saving therapies," the company's website said.
In 2023, Octapharm Plasma generated revenue of nearly $3.5 billion. Its products - focused on three therapeutic areas - hematology, immunotherapy and critical care - are available in 118 countries and reach "hundreds of thousands of patients" every year, the company said.
Octapharma Plasma on its website and Facebook page said it would provide further updates on its centers reopening through email, social media, its mobile OctaApp, and on its website.
"We apologize sincerely for the inconvenience and our support teams are working tirelessly to resolve the this issue," Octapharma said on its Facebook page on Friday.
The Register reported Thursday that a source familiar with the Octapharma situation told the media outlet that the company fell victim to a BlackSuit ransomware infection on Monday. The shutdown of donation centers in the U.S. as the company deals with its IT issues is likely to affect supplies of plasma products to Octapharma's European operations, The Register reported.
Octapharma in a statement to Information Security Media Group said that on April 17, it identified unauthorized activity in its network environment, which has disrupted certain parts of its operations. "We are taking this matter very seriously. Upon learning of this event, we began conducting an investigation with outside experts to understand the impact. That investigation remains ongoing, and we do not have more to report at this time," the company said.*
Octapharma Plasma did not immediately respond to ISMG's request for comment on whether the company is dealing with a ransomware attack by BlackSuit or perhaps another gang, and for other details about the incident and response efforts.
Russian Ties?
As of Friday, dark web monitoring website Darkfeed counted 52 Blacksuit victims.
In January, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in a threat report warned the healthcare entities about BlackSuit threats.
The relatively new ransomware group is presenting "an increasing threat to the healthcare and public health sector," HHS HC3 wrote.
"The consensus is Blacksuit is a rebranding of the Royal ransomware gang, which is a descendant of the Russian Conti gang," said Mike Hamilton, founder and CISO of security firm Critical Insight.
"Conti and Royal had moved into the ransomware-as-a-service model, and Blacksuit seems to be perpetrating this extortion itself," he said. "This is either a shift in their 'business model, or an indication that this is indeed an event that was performed on behalf of Russian state interests - with no need for an affiliate to carry out the crime," he said.
"If true, we may see more surgically targeted victims that have an impact far wider than their own business operations," he said.
Octapharma is a major supplier of plasma to the EU - and the incident appears to be a targeted supply chain attack, Hamilton said. "While appearing to be purely criminal, this will definitely have the effect of destabilizing the EU health system," he said.
"This is a strategic objective of Russia, given the current geopolitical situation and in line with other events that have been directed at EU countries; nation-state collusion cannot be discounted," he said.
"Further, the inability to continue operations in the U.S. has already affected the ability to collect plasma donations, which for some are a source of income."
Group Health Cooperative of South Central Wisconsin, which provides insurance and a range of primary and specialty care services, also was reportedly among Blacksuit's other recent U.S. healthcare victims.
The Wisconsin nonprofit managed care organization reported to regulators earlier this month that information for nearly 534,000 individuals was copied and stolen in a recent attack by a "foreign ransomware gang" that also attempted - but failed - to encrypt the group's IT systems (see: Nearly 534,000 Affected in Data Theft at Managed Care Org).
"Governments need to quickly find ways to improve security within the healthcare sector and its supply chain," said Brett Callow, threat analyst at security firm Emsisoft.
"Disruptive incidents impact the quality of care that patients receive, impact medical outcomes, and place additional stresses on the resources of providers whose resources are often already stretched."
*Updated to include Octapharma Plasma's statement on April 22 11:25 UTC.