Cyber Incident Victim: 10x Genomics
Date:
Apr 2020
Location:
United States of America
Summary
A ransomware attack targeted a California-based COVID-19 research firm, 10x Genomics, conducted by the REvil group using Sodinokibi malware. The attackers exfiltrated over 1 TB of data including secure storage systems and threatened to release the information unless contacted, subsequently leaking some files on dark web platforms. The disclosed materials were later removed by hosting services for violating terms of service. The incident was formally reported through regulatory filings, highlighting unauthorized access to sensitive data and operational systems during critical pandemic-related research activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2020, 10x Genomics, a California-based biotechnology company engaged in COVID-19 research, experienced a ransomware attack attributed to the REvil cybercriminal group. The attackers deployed Sodinokibi ransomware against the firm's systems, mirroring a pattern of targeting entities involved in pandemic-related research, as evidenced by a separate March 2020 attack on Hammersmith Medicines Research in London by the Maze Team. 10x Genomics publicly disclosed the incident through an SEC filing dated April 1, 2020, confirming the breach without specifying the exact attack timeline. The REvil group substantiated their claim of compromise by publishing a screenshot of directory folders from 10x Genomics' systems on their dark web (.onion) platform. This visual evidence accompanied a ransom ultimatum indicating attackers had exfiltrated over 1 terabyte of data from what they described as the company's "secure disk/netapp/scada" infrastructure.

The attackers established a three-day deadline for contact before threatening to release an initial data batch, concluding their message with "CYA" (likely "cover your ass"). REvil followed through by publishing some exfiltrated files on undisclosed hosting platforms, though these were subsequently removed by the platforms for violating terms of service. The breach compelled 10x Genomics to fulfill regulatory disclosure obligations through its SEC filing, confirming unauthorized access without detailing operational disruptions or ransom negotiations. The targeting of multiple COVID-19 research entities within weeks highlighted emerging cybersecurity risks to pandemic response efforts. Data removal by hosting providers limited public exposure of stolen information, though the incident demonstrated successful network penetration and data exfiltration by the threat actors.
