A Russia-linked cyber gang has claimed that it has cracked open the systems of healthcare giant Henry Schein’s TriMed, leaking sensitive data onto the dark web. The company confirms a cybersecurity incident.
Lynx, a Russia-linked cybercriminal gang, is claiming a ransomware attack on TriMed, a subsidiary of Henry Schein.
Ransomware gangs often list the victims on their dark web leak sites, attempting to muscle organizations into paying a ransom.
If the demands aren’t met, gangs often drop stolen data on the dark web for anyone to download, and the companies have to face the potential consequences of a leak.
Some gangs engage in different techniques, bidding off stolen data to interested parties on underground marketplaces if victims break negotiations.
“Henry Schein has still been going a cheap way with saving money on good IT security. As a result, they’ve become the victim of a cyberattack again,” wrote attackers on their site.
Henry Schein is an American distributor of healthcare products and services with operations in 33 countries. The company is the world's largest provider of healthcare products and services to office-based dental, animal health, and medical practitioners, with an annual revenue of $12.67 billion.
In 2023, the company suffered a ransomware attack by the ALPHV/BlackCat ransom gang. The attack disrupted the company’s website and a portion of its manufacturing and distribution operations, forcing IT teams to take certain systems offline to contain the incident.
What data was allegedly stolen?
Cybernews researchers have investigated the data samples released on the Dark Web.
The attackers exfiltrated a wide variety of sensitive files, including executive communications, personal documents, legal documents, and intellectual property, such as prototyping or proprietary design for one of TriMed's surgical products.
“This might indicate that the Lynx ransom group could have long-term access to critical systems, allowing them to identify and steal the most impactful information. This could potentially mean maximizing their leverage for extortion,” said Mantas Sabeckis, a Cybernews researcher
A leaked email exchange between executives revealed details of high-level financial dealings. It discussed the movement of millions of USD, with some sensitive data, such as IBAN and bank account numbers, visible.
“This type of info is extremely valuable for malicious individuals planning spear-phishing campaigns against executives,”
added Sabeckis.
The data samples also included personal documents, such as a driver's license and a passport.
TriMed's response
Cybernews has contacted the company, and it has confirmed a cybersecurity incident that affected parts of TriMed's IT systems. The company's spokesperson claims the internal investigation is still ongoing.
“TriMed operates independently of Henry Schein’s core systems and business, and we have no information to believe this incident has in any way impacted Henry Schein’s central operations,” wrote the company.
As per the statement, after becoming aware of the incident, TriMed took certain systems offline and implemented other precautionary steps to contain it.
TriMed also claims to have engaged external cybersecurity specialists to assess the potential scope and impact of the incident.
“We have identified some evidence suggesting that certain TriMed information may have been involved. However, our assessment of the scope and nature of the information is still ongoing,” claimed the company's spokesperson.
What is Lynx ransomware?
Caught on the radar in mid-2024, the gang operates as ransomware-as-a-service (RaaS) and is known to target organizations in the finance, architecture, and manufacturing sectors.
Darktrace’s Threat Research teams also uncovered Lynx-related incidents targeting energy and retail sectors across the Middle East and Asia-Pacific regions.
According to Cybernews' in-house surveillance tool, Ransomlooker, the gang has listed 196 victims since 2024, and is among the key players in the ransomware scene. Just this week, the gang claimed a well-known British construction company, Dodd Group, as one of its latest victims. In September, Lynx claimed to have stolen data from the largest US sushi and seafood provider, the True World Group LCC.
Among other alleged Lynx victims are Dollar Tree, America’s second-largest egg producer, Rose Acre Farms, and a major CBS affiliate, WDEF-TV.
Unit42 researchers have identified that Lynx’s malware shares significant portions of its source code with the INC ransomware variant, indicating the group likely repurposed readily available INC code to craft its own custom strain.
Lynx might be linked to Russia, as it actively recruits on Russian-speaking underground forums. Like many Russia-based cybercrime groups, Lynx explicitly states that it does not target organizations in Russia or other CIS countries.
This is a common tactic used by Russian threat actors to operate without interference from authorities within their home territory. On its leak site, Lynx gang claims that it has a clear intention to avoid undue harm to organizations. It claims to follow ethical policies and not target governmental institutions, hospitals, or non-profit organizations, as “these sectors play vital roles in society.”
“Our operational model encourages dialogue and resolution rather than chaos and destruction,” it says.
Article updated on October 7th, 8:00 AM GMT with the company's statement
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked