Rite Aid breached (again) according to new ransomware claim


The Rite Aid Corporation, an American chain of drugstores located in almost every town and city across 16 states, has allegedly been hit by ransomware.

In a statement sent to Cybernews on Friday, Rite Aid confirmed the company had suffered a “limited cybersecurity incident in June” and is now in the process of “finalizing our investigation.”

“Together with our third-party cybersecurity partner experts, we have restored our systems and are fully operational,” Rite Aid said.

ADVERTISEMENT

“We take our obligation to safeguard personal information very seriously, and this incident has been a top priority. We appreciate your patience until we can provide additional information, Rite Aid said in the statement.

The RansomHub group posted Rite Aid on its dark blog Friday, claiming to have exfiltrated 10GB of sensitive data from the retail giant’s networks.

“While having access to the Riteaid network we obtained over 10GB of customer information equating to around 45 million lines of people's personal information,” the Russian-linked gang posted on its victim leak site.

RansomHub set a deadline giving Rite Aid 13 days, or until July 22nd, to meet the group's demands or the compromised data will allegedly be leaked.

RansomHub Rite Aid
RansomHub leak site. Image by Cybernews.

The ransomware group also claims that at some point it had begun negotiations with Rite Aid – even agreeing on a ransom amount to be paid – that have since fallen apart.

“Suddenly at the end of negotiations once we both came to an agreement they stopped communications,” RansomHub wrote on its blog.

“From this it is obvious that the Riteaid leadership don't value the safety of it's customers sensitive details, the group said.

ADVERTISEMENT

The cybercriminals also provided a sample of the purported stolen information, which Cybernews can confirm contains names, addresses, dates of birth, driver’s license numbers, and Rite Aid rewards numbers.

Rite Aid further confirmed to Cybernews in Friday's statement that “no social security numbers, financial information, or patient information” were impacted in the June breach.

RansomHub Rite Aid sample
RansomHub leak site. Image by Cybernews.

The drugstore chain also said it "was sending notices to impacted consumers," although did not specify how or when those customers should expect to be notified.

Headquartered in Philadelphia, the seventh largest drug store conglomerate in the US boasts 1700 retail/pharmacy store locations and more than 50,000 employees, according to its website.

The chain services more than 1.6 million Americans each day, with a prescription revenue of $13.6 million in 2023, Statista reports.

Rite Aid is no stranger to ransomware attacks. Last May, the American drugstore chain was listed as one of the hundreds of victim organizations breached in the MOVEit hacks orchestrated by the Cl0p ransomware gang.

Months later, Rite Aid revealed more than 24,000 of its customers had personally identifiable information stolen in the hack, including names, addresses, birth dates, limited insurance, and prescription information.

Who is RansomHub?

RansomHub is a relatively new player in the ransomware ecosystem, having gained some traction since posting its first victim in February 2024.

ADVERTISEMENT

Analysts claim that the group’s setup closely resembles that of a traditional Russian ransomware setup, with the gang avoiding targets in Russia, CIS countries, Cuba, North Korea, and China.

Recent May breaches include gaming laptop maker Clevo, the high-profile Christie’s auction house, and Frontier, the 4th largest high-speed internet provider in the US covering 25 states.

The fledgling group also became a main player in the aftermath of the massive UnitedHealth Change Healthcare hack carried out by the ALPHV/BlackCat ransomware gang.

RansomHub, thought to be one of the main affiliates connected to ALPHV, the extortion gang claimed to have published a swath of files allegedly part of what was obtained during the hack.

According to Ransomlooker, Cybernews’ ransomware monitoring tool, RansomHub has victimized at least 45 organizations since its inception.


ADVERTISEMENT

Leave a Reply

Your email address will not be published. Required fields are markedmarked