Ransomware in Pharmaceutical Overview

The pharmaceutical industry is comprised of public and private organizations focused on the research, development and manufacturing of drugs and medication. The global pharmaceutical industry was an estimated $405B in size in 2020 and is forecast to grow at over 11% annually from 2021 – 2028. Of all industries affected by the COVID-19 pandemic, the pharmaceutical industry is by far the most visible. Governments around the globe have made significant investments into the research and manufacturing of vaccines and post-infection treatments. The pandemic has led to the unfortunate increase in cyber attacks against pharmaceutical companies from both pedestrian criminals to nation states looking to steal intellectual capital and obtain ransomware payments.

According to a recent Forbes article: “Pharmaceutical and biotech companies suffer more breaches than those in any other industry, with 53% of them resulting from malicious activity, according to the 2020 Cost of a Data Breach Report from IBM and the Ponemon Institute. And the costs of those breaches are constantly growing.”

Ransomware Incidents in the Pharmaceutical Industry

Various pharmaceutical suppliers, 2014

A cyber attack known as “Dragonfly” or “Energetic Bear” that was originally thought to be targeting critical infrastructure companies turned out to actually be focused on disrupting suppliers of key ingredients of various drugs destined for pharmaceutical companies. Researchers eventually determined that the attackers were looking to steal intellectual property from the suppliers. The attack began with a spear phishing campaign that ultimately delivered malware to the victims. The attackers then attempted to steal the victims’ intellectual property, which investigators believed would then be used to create counterfeit materials.

The campaign was focused on very small suppliers and ultimately did little damage. Unfortunately, many of the larger pharmaceutical companies didn’t heed the warnings of attacks to come.

Merck, 2017

In 2017, news agencies began reporting on what appeared to be a major ransomware attack named “Not Petya” against a number of companies located in Ukraine, including financial institutions, government agencies, media outlets and electricity producers (including the radiation monitoring system at the notorious Chernobyl nuclear power facility). The attack weaponized a tax software application named MeDoc that was used by companies around the globe, including Merck. Investigators later determined that the malware quickly spread throughout Merck’s technology infrastructure, taking down approximately 30,000 computers across their sales, research and manufacturing organizations. The company basically ground to a halt for a period of two weeks, which ultimately cost them nearly $900 Million in damages and another $400 Million in lost sales. To make things worse, Merck’s insurers refused to pay for the damages due to a clause in their agreement stating the insurance company did not cover what they considered “acts of war.”

The governments of Ukraine, the United States and the United Kingdom all formally attributed the attack to the Russian government. Russia continues to deny this and claims they also had companies in their country that were adversely affected by the attack as well.

Bayer AG and Roche, 2018-2019

In 2018, pharmaceutical company Bayer was attacked by a purported Chinese hacker group named Wicked Panda using a malware named Winnti. The company believed that the attack was intended to steal intellectual property from the company that would ultimately be used by Chinese pharmaceutical companies for production of knock-off medicines. Bayer stated that while the malware did manage to get into their network, no data was exfiltrated.

A year later, Roche identified a very similar attack. As with Bayer, Roche acknowledged that the malware did get into their network, but no data was ultimately stolen and the company was able to rid itself of the malware.

Dr Reddy’s Laboratories, 2020

As the pandemic grew in scale, cyber attackers turned their attention to companies involved with the development of COVID-19 vaccines. Dr Reddy’s Laboratories is an India-based drug company that was working on Russia’s COVID vaccine named Sputnik V. The attack crippled the company’s global infrastructure, forcing them to shut down their datacenters and production facilities around the globe. The criminals appeared to be trying to steal clinical trial data that the company had compiled as part of the final stages of their clinical trials. The company was eventually able to restore all systems and production facilities.

Thwarting Ransomware Attacks in the Pharmaceutical Industry

From operational disruptions to stealing sensitive data, ransomware attacks in recent years have proven to be able to cripple companies in the pharmaceutical industry. Simply put, if pharmaceutical companies can prevent phishing attacks, they can significantly decrease the risk of ransomware attacks. Stopping ransomware in its tracks helps to avoid the loss of priceless intellectual property as well as costly recovery and containment measures. Here are some actions pharmaceutical companies can take today to thwart ransomware attacks.

Use Anti-Phishing Defenses

Phishing campaigns are a popular vector for threat actors to gain access to a company’s IT infrastructure. By impersonating trusted individuals, hackers can target employees with phony emails or social media messages that get them to disclose passwords or to download malware.

Anti-phishing defenses can include the use of advanced self-learning email filters that block, flag, or quarantine suspicious emails so that they don’t reach target employees. Another anti-phishing defense is to conduct simulated phishing tests to help employees get better at recognizing phishing attacks. Simulated phishing may be particularly helpful for social media phishing.

Leverage Artificial Intelligence

Artificial intelligence continues to evolve and play an increasingly important role in cybersecurity. AI can be used within several types of cybersecurity tools to detect and prevent ransomware. From email filters that leverage machine learning to intelligent user monitoring, AI can help to thwart ransomware before the dreaded encryption or data exfiltration events that cause the bulk of the damage from these attacks.

Closing Thoughts

If there is one overarching message from this article, it’s that pharmaceutical companies need to treat ransomware as a high-risk incident that they are exposed to at all times. They must understand their risk exposure and make the necessary investments in tools and personnel to keep themselves safe from attack. The adverse effects of a ransomware attack can be incredibly painful for both the company and their downstream customers, as well as the billions of people who require medicines and vaccinations to remain healthy. It is best to get in place the right mindset, tools, and processes to prevent ransomware before it can cause damage.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.