Henry Schein ransom negotiations fail, attacks claimed by ALPHV/BlackCat

Henry Schein, a major global distributor of healthcare products, is undergoing what appears to be intense negotiations after being breached by the ALPHV/BlackCat ransom group in October. The gang says it will begin publishing portions of its trove by Friday.

The Russian-linked ransomware gang claims to have exfiltrated a whopping 35 terabytes of sensitive data from the New York-based company and threatened to publish the stolen data on November 3rd if ransom demands were not met.

ALPHV/BlackCat now claims negotiations have stalled and that the gang has re-encrypted the company’s network systems, undoing any recovery process that Henry Schein had been working on.

Meanwhile, the company, whose website and business operations are still experiencing issues, confirmed a ‘cybersecurity incident’ in a press release on October 15th.

Henry Schein said the cyber event had impacted “a portion of its manufacturing and distribution businesses,” which caused the company to take “certain systems offline and other steps intended to contain the incident.”

Henry Schein website ransom attack

The healthcare equipment and technology solutions company lists more than 23,000 employees worldwide more than 1 million customers across 32 countries.

ALPHV/BlackCat first posted about the alleged attack on its dark leak site Thursday, November 2nd, along with a lengthy message about the attack and how negotiations with the company were failing.

The gang specifically called out the outside experts – ransomware recovery firm Coveware Company – hired by Henry Schein, claiming “a lack of commitment on the part of Henry's management team.”

“We were in contact with Henry's negotiators named Coveware Company, Lizzie and her colleagues. It seems like they are sticking to their position of buying more time, as they have been from the beginning,” ALPHV/BlackCat posted.

“Last week, we warned them that if they continued this behavior, we would take action, and we did,” it said.


“While Henry was almost finished restoring everything, we encrypted their systems again, causing Coveware's client to lose an additional two weeks of business,” the group claimed.

The notorious ransomware gang also stated that it would release “a portion of their internal payroll data and shareholder folders” on its collections blog page as of midnight Friday and continue to publish more data daily.

At the time of this report, Cybernews can confirm that no data has been published on the group’s collections blog.

ALPHV/BlackCat claims they initially had “worked” on gaining access to the Henry Schein network for an “extensive period of time,” utilizing its “advanced tools and conducting a thorough analysis to extract a significant amount of data from their file shares and databases.”

Cybernews has reached out to the media team at Henry Schein and is awaiting a response.

ALPHV/BlackCat background

ALPHV/BlackCat ransomware was first observed in 2021.

Operating as a ransomware-as-a-service (RaaS) model by selling malware subscriptions to criminals, the gang is known for its use of the Rust programming language.

According to a Microsoft research profile, ALPHV/BlackCat is also known to have worked closely with other ransomware groups such as Conti, LockBit, and REvil.

Furthermore, the FBI believes that money launderers for the gang are linked to the Darkside and BlackMatter ransomware cartels.

A Cybersecurity analyst report by ANOZR WAY showed the group was responsible for approximately 12% of all attacks in 2022.

ALPHV/BlackCat carried out more than 200 ransom attacks in the first half of 2023 alone, according to a September report by Trend Micro.

The group has easily caused over $1 billion in lost corporate revenue in 2023, according to cybersecurity analyst and researcher Dominic Alvieri.

Known for its triple-extortion tactics, other big name victims claimed by the ALPHV/BlackCat include Clorox, Dole, NCR, Next Gen Healthcare, Seiko and the Mazars Group.

Update November 6th [2:55 PM GMT] : Over the weekend Henry Schein was removed from the ALPHV/Blackcat leak blog leading to speculation that ransom negotioations are back on.

More from Cybernews:

Book review – Going Infinite: The Rise and Fall of a New Tycoon

The man who found a world: detecting an exoplanet

Infosys US unit hit by cyber event

Insurance broker falls for phishing attack, leaves 80K people affected

ESA to use AI to protect infrastructure and tackle space debris

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked