Healthcare Giant Henry Schein Pwned TWICE By BlackCat

Healthcare giant Henry Schein was hit by the BlackCat (ALPHV) ransomware group last month, when the group successfully infiltrated their network. The group claimed to have exfiltrated 35TB of data, including payroll and shareholder information. Henry Schein, a Fortune 500 company operating across 32 countries, reported annual revenue exceeding $12 billion in 2022.

Henry Schein acknowledged the breach occurred on October 15, and that they were forced to shut down systems to contain the cyberattack that had impacted its manufacturing and distribution sectors.

The company immediately informed law enforcement authorities and engaged external cybersecurity and forensics experts to probe the incident, suspecting a potential data breach.

However, two weeks later, when the company had their network almost back to normal, the BlackCat/ALPHV ransomware group added Henry Schein to its dark web leak site, claiming they had successfully penetrated the company’s network and taken the 35 terabytes of data. They also claimed to have re-encrypted the company’s systems, undoing the progress made during restoration efforts, saying the company was not negotiating in good faith. As Henry Schein was removed from the BlackCat site shortly thereafter, it is likely that they came to terms with the ransomware group.

Steve Hahn, Executive VP, BullWall:

“Two things are really striking to me:

   “First, that a fortune 500 company, with the most targeted data on earth (healthcare records) couldn’t stop a Ransomware Attack despite having the funds to utilize every best of breed security tool on earth. They no doubt had the best in next Gen EDRs, Gateways, Firewalls, SIEMs and Orchestration tools yet all the prevention in the world won’t stop a persistent modern day threat actor. All they need is one foothold- a shadow IT device somebody forgot to decommission that hasn’t been patched or managed,  an IoT device, a malicious or incompetent user, even a compromised personal device from an employee who accesses the company network. Once they have that foothold they use red team tools like Mimikatz or Cobalt Strike to extract admin passwords and with those, every security tool in the environment can be bypassed or disabled. Prevention doesn’t work if it’s not running.

   “Second, they were hit twice. This isn’t commonly known but 86% of companies hit by Ransomware will be hit again within the next year. Why? Once the threat actor has gained access and maintained persistence they spin up VMs, user accounts, embed malicious macros in internal documents, white list applications and hide hundreds of other second stage attacks throughout the environment. We see this exact scenario play out hundreds of times per year on some of the most advanced companies on earth.

   “The net here is we are living in a “when” not “if” world of Ransomware. You have be prepared to contain that Ransomware outbreak in milliseconds because they’ve doubled their encryption speed this year from 25,000 files per minute to 50,000 files per minute. You have to have MFA to every server every session to prevent RDP access that can be used to disable your tools and you have to have a recovery strategy in place for what happens once you’ve been hit. You cannot stop these events, but you can contain them rapidly and minimize the impact. “

Steve Hahn brings up an interesting point. A lot of companies who get pwned often get pwned again because once a threat actor gets in, they set up shop and launch second stage or even third stage attacks. That should terrify anyone who entrusted to keep the bad guys out. And it highlights why the best defence is to not allow the bad guys in from the start.

UPDATE: Craig Harber, Security Evangelist: Open Systems adds this:

   “Ransomware attacks have surged this year. The latest victim is healthcare giant Henry Schein. The ransomware gang BlackCat (ALPHV) claims it stole 35TB of data, including payroll and shareholder information. There are no published details of the steps taken to infiltrate their network. 

   “Henry Schein notified law enforcement and hired external cyber forensic experts to assist with the investigation. The company engaged its incident response team to contain the attack; however, based on available reporting, the cybercriminal encrypted the company’s devices and data for a second time before the incident response team restored all its systems. Speculation is this happened because ongoing ransom negotiations were unsuccessful. 

“Ransomware attacks are becoming an all too familiar story. Some companies are not making the necessary investments upfront to protect their critical systems and sensitive data. Then, it is a race against the clock for their incident response teams to secure the systems and sensitive information from further attack once a breach occurs. 

   “From every indication, Henry Schein paid the ransom because the ransomware group deleted the published data leak site. The decision to pay a ransomware attack is always complex. There are many factors to consider, not the least of which is you are negotiating with a cybercriminal. There is no guarantee that even if you pay the ransom, these cybercriminals will restore systems and return stolen company data. It is best to heed law enforcement advice and not pay because doing so only encourages continued criminal activity.”

Leave a Reply

%d bloggers like this: