ExecuPharm, a subsidiary of the U.S. Biopharmaceutical giant Parexel, has been hit by a ransomware attack according to a recent announcement made by the company.

In a letter sent to the Office of The Vermont Attorney General, the company explains that on March 13, 2020, “a data security incident that compromised select corporate and personal information” happened after “unknown individual encrypted ExecuPharm servers and sought a ransom in exchange for decryption.”

As part of the incident, ExecuPharm employees received phishing emails from the unknown individuals. Upon a thorough investigation, noted the company, Execupharm determined that the individuals behind the encryption and the sending of the emails may have accessed and/or shared select personal information relating to ExecuPharm personnel, as well as personal information relating to select personnel of Parexel, whose information was stored on ExecuPharm's data network. 

Information which may have been exposed includes: social security numbers, taxpayer ID/EIN, driver's license numbers, passport numbers, bank account numbers, credit card numbers, national insurance numbers, national ID numbers, IBAN/SWIFT numbers and beneficiary information.

The company said it notified federal and local law enforcement authorities in the US and retained third-party cybersecurity firms to investigate the incident further. 

According to the company, they have rebuilt the impacted servers from backup servers ad have fully restored and secured the ExecuPharm systems. 

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, “Ransomware will continue to be one of the most destructive threats to many organizations for the foreseeable future, making it the most likely type of attack most companies will face. ExecuPharm has fallen victim to the CLOP ransomware group which uses the technique to steal and encrypt sensitive data. Even if the victim is able to restore the data from a backup, the adversary threatens to publicly leak the stolen data which can result in both brand and financial damage. Unfortunately for ExecuPharm, the attackers have started releasing personal data on employees which includes some very sensitive data that could be used to steal identities or cause financial fraud."

At this time, it is not known which approach ExecuPharm will take, how many of their services are unavailable or whether they have a planned and tested incident response plan, says Carson. "Companies need to change their approach to ransomware rather than trying to recover after an incident, especially during these chaotic times with many employees working from remotely leaving more companies are now at risk. The best approach to reduce the risk is for companies to take the principle of least privilege approach which effectively stops most ransomware.  Controlling and securing privileged access, as well applying the principle of least privilege, is an effective measure at reducing the risks from ransomware attacks," he adds.

Charles Ragland, security engineer at Digital Shadows, says, “The key thing that everyone should be doing is sharing information. Maintaining and sharing solid threat intelligence around actors and tools that frequently target the healthcare sector is one of the best things we can do to help. By providing this content, security professionals responsible for protecting healthcare networks can make informed decisions and ensure that infrastructure remains available for the patient care providers that need it.”

Jack Mannino, CEO at nVisium, notes that “Phishing attacks will always be successful over time regardless of how much awareness training we promote, where greater than zero clicks wins. Once an attacker gets in, your security posture and hygiene are what matter most. Controls like multi-factor authentication (MFA) can make it much more difficult to use stolen credentials for VPN access. There is no such thing as perfect security, but we need to make it as hard as possible for attackers.”