In a recent cyber intrusion incident, ransomware operators associated with the notorious Alphv, or BlackCat, extortion gang, claimed to have stolen data from a company specializing in assisting organizations with medical trials. The breach reportedly occurred after one of the firm’s executives fell victim to a SIM-swapping attack, wherein the criminals gained control of the executive’s cellphone number and subsequently accessed their work accounts.
The perpetrators, who are known for their cyber-extortion activities, purportedly obtained access to the executive’s work account, potentially exfiltrating confidential information from the business. They exploited this access to change account passwords, login, and access various profiles and documents, all facilitated by one-time authentication codes sent to the hijacked cellphone number. This incident highlights the vulnerability of text message or call-based methods for authentication and password resets.
The ransomware group claimed to have exfiltrated more than 120GB of confidential data related to Advarra’s customers, patients, and employees, including both current and former individuals. The criminals threatened to leak or sell this information if their ransom demands were not met. However, the veracity of their claims regarding the stolen data remains unverified.
As a means of substantiating their intrusion, the cybercriminals disclosed personal information belonging to some individuals. This information included the name, date of birth, and social security number of a 17-year-old in the United States, as well as a passport scan of an Advarra executive. Additionally, the criminals alleged that a senior manager at Advarra had engaged with them in a confrontational manner, but these claims have since disappeared from their dark website.
Currently, the threat actors have set a deadline for Advarra to respond to their demands within 24 hours, failing which they would release the exfiltrated data. They warned that patients participating in clinical research studies could also be affected.
Advarra, based in Columbia, Maryland, provides services to organizations conducting medical research and clinical trials. A company spokesperson acknowledged the compromise of an employee’s phone number and clarified that the intruder used this access to infiltrate some of the employee’s accounts, including LinkedIn and their work account. The company has taken containment measures to prevent further access and is collaborating with third-party cybersecurity experts. Federal law enforcement has also been notified, and the company believes the matter is now contained. Advarra reassured that the intruder did not gain access to clients’ or partners’ systems, and business operations remain unaffected.
The investigation into the breach is ongoing, with the company taking steps to enhance its system security in line with industry best practices.
This incident follows the recent leak of 8.6TB of data from another US healthcare organization, Morrison Community Hospital in Illinois, by the Alphv group. Similarly, Morrison Community Hospital refused to negotiate with the ransomware operators.
While some ransomware groups have exhibited a degree of morality by avoiding attacks on hospitals, others, like BlackCat, have shown no such restraint. Healthcare organizations have traditionally been a prime target for cybercriminals due to the sensitive nature of the data they possess and the likelihood of having insurance coverage. However, data from Sophos indicates a slight decrease in cyberattacks in the healthcare sector in 2023 compared to the previous year. Nonetheless, in nearly 75 percent of successful attacks, data encryption occurred, marking the highest encryption rate in the past three years. In 37 percent of these cases, data was also stolen.