Clop ransomware leaked files stolen from U.S pharmaceutical company ExecuPharm after ransom negotiations allegedly failed.
ExecuPharm is a contract research organization (CRO) that provides clinical research support services to companies from the pharmaceutical industry.
The company has more than 18,000 global clinical operational specialists in its network and it is one largest privately-owned global diversity suppliers of clinical development services since 1994.
Stolen data published on leak site
The ransomware attack was publicly disclosed by ExecuPharm in a notice of data breach letter sent to affected individuals and filed with the office of Vermont’s Attorney General.
While ExecuPharm did not mention the name of the ransomware strain used to encrypt its servers during the attack, the Clop Ransomware group has published the stolen data after the company refused to pay the ransom as first reported by Techcrunch.
ExecuPharm also explains in the breach letter that they “rebuild the impacted servers from back up servers and have now fully restored and secured” the affected systems.
“Negotiations were conducted a month, the amount in bitcoins was announced and approved. Then they began to refer that the coinbase had a hold on their account, and they needed to wait 7-14 days,” the Clop actors told BleepingComputer when we reached out for more details.
“As a result, it turned out that they were not going to pay at all, although we made a 70% discount and showed patience on time.”
We also asked ExecuPharm to provide more info about the attack but the company refused to share more details. When we circled back asking about the ransom amount, ExecuPharm stopped replying.
According to Clop Ransomware’s leak site, the attackers were able to steal almost 19,000 ExecuPharm and Parexel employees’ emails, as well as further email correspondence including more than 80,000 emails.
Leaked ExecuPharm data
They also stole 163GB worth of financial, accounting, and employees’ documents, as well as SQL backups of the company’s document management system.
ExecuPharm was hit by Clop Ransomware on March 13 following a successful spearphishing attack that targeted some of the firm’s employees.
“On March 13, 2020, ExecuPharm experienced a data security incident that compromised select corporate and personnel information,” ExecuPharm’s letter reads.
“Specifically, unknown individuals encrypted ExecuPharm servers and sought a ransom in exchange for decryption. ”
The company says that the ransomware group behind the attack may have accessed personal info belonging to ExecuPharm and Parexel (the parent company).
Among the information that the attackers could have accessed, ExecuPharm mentions employees’:
• social security numbers,
• taxpayer ID/EIN,
• driver’s license numbers,
• passport numbers,
• bank account numbers,
• credit card numbers,
• national insurance numbers,
• national ID numbers,
• IBAN/SWIFT numbers,
• and beneficiary information (including social security numbers).
ExecuPharm warns affected individuals that the stolen personal information could be used for identity theft and for securing credits in the victims’ names.
The company notified U.S. Law enforcement agencies after Clop Ransomware’s attack and also retained the services of leading third-party cyber-security firms to investigate the incident.
“ExecuPharm also upgraded its security measures to prevent future attacks, including forced password resets, multi-factor authentication for remote access, and endpoint protection, detection, and response tools,” according to the data breach notification
Clop also behind attacks on universities and other pharma orgs
Clop Ransomware was also behind the attack that encrypted most of Maastricht University’s Windows servers on December 23, 2019, after which the university had to shut down all of its systems as a precautionary measure during investigations.
In February, Maastricht University (UM) disclosed that it paid the 30 bitcoin ransom requested by the Clop Ransomware threat actors.
Just as in the case of ExecuPharm, the hackers were able to infiltrate the university’s systems using spearphishing e-mails opened on two of UM’s systems.
The Clop Ransomware group told BleepingComputer that they have never attacked certain types of organizations, including hospitals and charities, and that they will not do it in the future either.
Pharmaceutical companies who are working on Coronavirus vaccines or drugs will also be spared and will be provided with a free decryptor if they provide proof of their involvement in the pandemic medical response.
Clop previously added other companies from the pharmaceutical industry to their data leak site, but have since removed them.