Cyber Incident Victim: Crinetics Pharmaceuticals
Date:
Mar 2024
Location:
United States of America
Summary
A Nasdaq-listed pharmaceutical development company based in San Diego is investigating a cybersecurity incident involving suspicious activity in an employee's account, which was promptly disabled. The organization activated its incident response process, engaged third-party experts, notified law enforcement, implemented additional security measures, and contained the incident without operational or database impact. The LockBit ransomware gang claimed responsibility, listing the company on its leak site with a multimillion-dollar ransom demand, though the organization did not confirm ransomware involvement. LockBit, recently disrupted by law enforcement operations targeting its infrastructure and arrests of affiliates, has historically focused on pharmaceutical sector victims. The gang's leader publicly vowed to continue attacks despite setbacks, while researchers note ongoing but diminished activity post-takedown.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Crinetics Pharmaceuticals, a Nasdaq-listed clinical-stage company specializing in therapeutics for endocrine diseases and endocrine-related tumors, detected suspicious activity in an employee’s account in late February or early March 2024. The company disabled the compromised account on the same day of discovery and activated its cybersecurity incident response process. Crinetics initiated an internal investigation, engaged third-party cybersecurity experts for forensic assistance, and notified law enforcement agencies about the incident. Additional company-wide security measures were implemented to contain the breach, which the company confirmed did not affect its operational capabilities, discovery pipelines, or study databases. On March 1, 2024, the LockBit ransomware gang listed Crinetics on its data leak site, claiming responsibility for the attack and demanding a $4 million ransom payment with a deadline set for March 23. Crinetics declined to confirm whether the incident involved ransomware encryption or whether data exfiltration occurred, stating only that its investigation remained ongoing and that it would comply with legal notification requirements.
The incident occurred during LockBit’s attempted operational recovery following a multinational law enforcement operation in February 2024 that disrupted its infrastructure, seized hacking tools, cryptocurrency reserves, and source code. Despite these setbacks, LockBit’s leadership publicly vowed to continue attacks, with the gang’s administrator “LockBitSupp” declaring intentions to target one million organizations globally. At the time of the Crinetics incident, cybersecurity researchers noted LockBit had accelerated new victim postings after weeks of primarily recycling pre-takedown data, though some recent listings correlated with fresh compromises. LockBit historically operated as the world’s most prolific ransomware group, with the U.S. Department of Justice attributing over 2,300 attacks and $120 million in ransom payments to the gang since its inception. Pharmaceutical companies remained frequent targets during this period, with LockBit and other groups compromising entities including Eisai, Sun Pharmaceuticals, PharMerica, and Cencora within the preceding twelve months. Multiple suspects linked to LockBit operations were arrested in Ukraine and Poland following the law enforcement action, with authorities anticipating further arrests.