Underground Team's Ransomware Attack on Ethypharm

Incident Date:

July 1, 2024

World map

Overview

Title

Underground Team's Ransomware Attack on Ethypharm

Victim

Ethypharm

Attacker

Underground Team

Location

Romford, United Kingdom

, United Kingdom

First Reported

July 1, 2024

Analysis of the Ransomware Attack on Ethypharm by the Underground Team

Company Profile: Ethypharm

Ethypharm is a specialty pharmaceutical company that stands out in the healthcare sector due to its focus on the central nervous system (CNS) diseases, particularly targeting severe pain and opioid dependency. With a revenue of €334 million, Ethypharm plays a crucial role in developing and manufacturing innovative drug delivery solutions aimed at improving patient outcomes. Their products are essential in pain management, addiction treatment, and critical care, making them a key partner of the National Health Service (NHS) in the UK. The company's operations are primarily based in Romford, Greater London, where they maintain high standards in the manufacturing and distribution of pharmaceutical products.

Details of the Ransomware Attack

The ransomware group known as the Underground Team has recently targeted Ethypharm, claiming responsibility via their dark web leak site. This attack is significant as it involves the exfiltration of sensitive data, with threats to leak it unless a ransom is paid. The group's approach includes sophisticated tactics such as stopping target services, deleting Volume Shadow Copies, and clearing Windows event logs. They employ the 3DES algorithm with RSA encryption to lock the files, which complicates the decryption process without their cooperation.

Profile of the Underground Team Ransomware Group

The Underground Team is a financially motivated ransomware group that emerged in 2023. They are known for their novel encryption methods and have previously demanded ransoms as high as nearly $3 million. The group targets companies rather than individual users, focusing on extracting large ransom payments. Their operational tactics include advanced encryption techniques and a strategic choice of targets that are likely to yield high financial returns.

Potential Vulnerabilities and Entry Points

Ethypharm's significant reliance on digital technology for drug formulation and distribution might have exposed them to cyber threats. The sophistication of the Underground Team suggests that they could have exploited vulnerabilities in Ethypharm’s network, possibly through phishing attacks or unpatched software. The high value and sensitivity of the data handled by Ethypharm make it a lucrative target for ransomware attacks, emphasizing the need for robust cybersecurity measures in the pharmaceutical industry.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.