Cyber Incident Victim: ExecuPharm Inc
Date:
Mar 2020
Location:
United States of America
Summary
A U.S. pharmaceutical firm suffered a ransomware attack by the CLOP group, which exfiltrated and later published sensitive internal data including employee Social Security numbers, financial records, passport details, and corporate documents like emails and database backups. The attackers justified targeting the commercial entity despite pandemic-related pledges to spare medical facilities, alleging it profited from the health crisis. The victim engaged cybersecurity experts, notified law enforcement and affected individuals, and initiated an investigation. CLOP’s ransomware lacks a public decryption tool, as evidenced by prior victim experiences involving substantial ransom payments. This incident exemplifies the growing trend of ransomware operators combining data encryption with extortion through public leakage threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 13, 2020, ExecuPharm, a U.S. pharmaceutical company, suffered a ransomware attack conducted by the CLOP ransomware group. The attackers infiltrated the company's systems, exfiltrating sensitive data including Social Security numbers, financial records, driver's licenses, passport numbers, and other personally identifiable information before encrypting files. ExecuPharm confirmed the breach in a notification letter to the Vermont attorney general’s office, acknowledging unauthorized access to this data. In April 2020, CLOP escalated its extortion tactics by publishing the stolen data on a dark web leak site, demonstrating the group’s adoption of the "double extortion" strategy pioneered by the Maze ransomware operation in late 2019. The leaked data cache contained thousands of internal emails, financial and accounting documents, user files, and database backups, exposing substantial corporate and employee information. CLOP specifically justified targeting ExecuPharm by asserting commercial pharmaceutical companies profited from the COVID-19 pandemic, distinguishing them from hospitals, nursing homes, and charities that the group claimed to exempt from attacks.
ExecuPharm initiated its response by launching an immediate investigation, engaging cybersecurity firms to assess the breach's scope, and notifying federal and local law enforcement authorities. The company also began notifying potentially affected individuals about the compromise of their sensitive data. Operations chief David Granese publicly confirmed CLOP's responsibility for the attack and outlined these response measures. The incident highlighted operational challenges in remediation, as no publicly available decryption tool existed for CLOP ransomware at the time, a circumstance previously experienced by Maastricht University, which paid a $220,000 ransom in Bitcoin during a 2019 CLOP attack. The FBI’s established advisory against ransom payments remained relevant, though the publication of stolen data demonstrated the increased pressure tactics employed by modern ransomware groups. The breach exposed both employee personal information and corporate operational data, creating significant privacy and reputational risks for the organization.