Cyber Incident Victim: Expanscience
Date:
Nov 2020
Location:
France
Summary
A pharmaceutical laboratory known for products such as Mustela experienced a ransomware attack attributed to the Egregor group, marking the second such incident within a four-month period following an earlier compromise by the Maze ransomware operators. The cyberattack compromised the organization’s IT infrastructure, though specific operational or data impacts were not detailed in available reporting. The incident highlights recurring targeting by ransomware groups within the pharmaceutical sector during this timeframe.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 3, 2020, cybersecurity journalist Damien Bancal publicly disclosed a ransomware attack targeting Expanscience, a French pharmaceutical laboratory known for products such as Mustela. This incident marked the second confirmed cyberattack against the company within a four-month period, following an earlier compromise attributed to the Maze ransomware group. The Egregor ransomware operation subsequently claimed responsibility for the November intrusion, announcing their unauthorized access to Expanscience's IT infrastructure through undisclosed means. The attack occurred amidst heightened cybercriminal activity targeting healthcare and pharmaceutical organizations during the global pandemic period, though no explicit connection to pandemic-related motives was stated in the disclosure. Bancal's reporting did not specify whether data exfiltration occurred prior to encryption or detail the operational impacts on Expanscience's manufacturing or research activities.
Six days after the Expanscience disclosure, on November 9, Bancal identified another ransomware incident affecting Bailly Creat, a separate French pharmaceutical laboratory specializing in dry-form drug manufacturing. The Doppel ransomware group claimed responsibility for this attack, though no technical details regarding infection vectors or compromised systems were provided. The consecutive targeting of two French pharmaceutical entities within one week suggested potential sector-specific focus by multiple threat actors, though no evidence of coordination between the Egregor and Doppel operations was documented. Bancal's reporting through Zataz.com constituted the primary public documentation of both incidents, with neither victim organization issuing official statements regarding attack mitigation, data recovery processes, or potential regulatory notifications at the time of disclosure. The absence of subsequent public updates left the long-term consequences and full scope of both compromises unverified in open-source reporting.