Henry Schein ransom saga now in third month, hackers show no mercy
The APLHV/BlackCat ransom gang says it will encrypt Henry Schein’s network systems for the third time – the latest payback move for stalling negotiations from a crushing October ransomware attack.
Henry Schein, a global leader in healthcare technology and product distribution, is still struggling to restore business operations since it announced the ransomware attack on its company website on October 15th.
As negotiations continue to move further south, the Russian-linked ransomware operators have called out the healthcare solutions giant – once again – for lack of “professionalism.”
The three-month-long cat and mouse game has played out like a ransomware soap opera, with Henry Schein clearly on the losing end of the game.
APLHV/BlackCat posted a lengthy message on its dark leak site Tuesday – the third of its kind since the initial attack – titled, “Henry's " LOST SHINE."
The 534-word post slammed the company for “detrimental strategy.. management issues… lack of communication… and questionable decision making,” (just to name a few).
“We're proud to present the next level of attack,” the gang wrote, along with three distinct sections named “What happened there?," "Is your data safe with Henry?," and "What’s next?”
And like any good post mortem, APLHV/BlackCat even provided a 'lessons learned' for Schein and its team of cybersecurity experts and negotiators.
“Coveware, Stroz Friedberg, AVASEK, Proskauer, Clearly and other folks have realized that they should not be overconfident when dealing with Alpha. Their strategies have proven to be detrimental, causing a reputable company to incur 2 months of operational losses totaling over 500 million USD," the gang said.
The third round of damage
Accompanying the post, a 14-piece sample of the alleged 35TB of sensitive information ALPHV/BlackCat claims to have exfiltrated from Henry Schein servers.
“We have prepared some screenshots of a portion of their data that we believe is necessary to make public at this time,” it said.
The gang had originally threatened to start publishing some of its stolen data on November 3rd, after it had encrypted Henry Schein’s network the second time, again for failed negotiations.
The purported Henry Schein samples cache contains an array of confidential employee emails, dozens of passport jpeg files, several snippets of database files chock full of names, addresses, and contact info of seemingly Henry Schein customers, as well as "folders containing supplier's checking bank accounts.”
Even more egregious, the gang also posted a copy of a Stoltz Friedberg Interim cybersecurity report detailing the events from the October ransomware attack, dated November 17th, 2023.
Stoltz Friedberg is the outside digital forensic expert and incident response and recovery firm hired by Henry Schein in the wake of the attack.
The report, which was produced well after the first encryption took place, only proves that ALPHV/Blackcat has no problems accessing Henry Schein’s systems at will.
Meanwhile, in an official breach notice sent to customers and suppliers on November 13th, Henry Schein revealed that a plethora of sensitive information may have been compromised and/or misused in the attack, including bank account and credit card numbers.
In the letter, the company urged the possibly affected to change passwords, increase multi-factor authentication, and block all ACH debit transactions from bank accounts.
As for the final declaration in Tuesday's post, ALPHV/BlackCat listed names of “Henry’s partners” whose data exchanges it allegedly has a hold of, including big names such as Walmart, Pfizer, UCHealth, MedStar, First Health, and Albertsons.
ALPHV/BlackCat ransomware was first observed in 2021 and is known to operate as a ransomware-as-a-service (RaaS) model by selling malware subscriptions to criminals.
The Russian-affiliated gang carried out more than 200 ransom attacks in the first half of 2023 alone, according to a September report by Trend Micro, and is said to be responsible for approximately 12% of all attacks in 2022.
The group has easily caused over $1 billion in lost corporate revenue in 2023, according to security insiders.
Known for its triple-extortion tactics, the gang was responsible for the September ransomware attacks on the Las Vegas casino giants MGM Resorts, as well as Caesars International, who is rumored to have paid a $15 million ransom to keep operations running.
According to a Microsoft research profile, ALPHV/BlackCat is also known to have worked closely with other Russian-affiliated ransomware groups such as Conti, LockBit, and REvil.
Furthermore, the FBI believes that money launderers for the gang are linked to the Darkside and BlackMatter ransomware cartels.
ALPHV/BlackCat claims they initially had “worked” on gaining access to the Henry Schein network for an “extensive period of time,” utilizing its “advanced tools and conducting a thorough analysis to extract a significant amount of data from their file shares and databases.”
Cybernews has reached out to Henry Schein, but the company has not responded to our requests.
More from Cybernews:
Subscribe to our newsletter