Clop Ransomware Gang Publishes ExecuPharm Data After Non-Payment of Ransom

The U.S. pharmaceutical company ExecuPharm recently announced it suffered a ransomware attack on March 13, in which certain corporate and employee information was compromised. The attack started with phishing emails sent to its employees, with the subsequent investigation indicating the attackers may have viewed or obtained sensitive data prior to the deployment of the ransomware.

The types of data that were potentially compromised included employee names, taxpayer IDs, Social Security numbers, driver’s license numbers, passport numbers, bank account information, credit card numbers, national insurance numbers, IBAN/SWIFT numbers, and beneficiary information. Data relating to its parent company, Paraxel, was also potentially compromised.

Third party cybersecurity firms were engaged to help investigate the security breach and, assisted by computer forensics experts, the company was able to rebuild all affected servers and has reported that its systems have now been restored and data has been recovered from backups. Additional countermeasures have been implemented to block ransomware emails and improve network security, and endpoint protection, detection, and response tools are being used to improve security moving forward. Individuals whose information was potentially compromised have been offered complimentary identity monitoring services for one year.

ExecuPharm did not disclose the type of ransomware used in the attack, but it has recently been made apparent that the attack involved CLOP ransomware. The threat actors behind the attack published the data stolen in the attack when the ransom was not paid.

It is now common for ransomware groups to steal data prior to deploying ransomware. The data can be used to pressure victims into paying the ransom and the data can also be monetized if the ransom is paid. According to a recent report on Bleeping Computer, which has been in contact with the CLOP group, ExecuPharm had entered into negotiations over the ransom and was given extra time to pay and was offered a 70% discount; however, it appears that this may have been a stalling tactic as payment was not made, hence the decision to publish the stolen data.

Some threat actors have said that they will not attack healthcare organizations and companies involved in developing vaccines and conducting medical research into COVID-19, including the operators of Clop and Maze ransomware. Clop told Bleeping Computer that free decryptors will be provided to pharmaceutical companies that can prove they are working on COVID-19 treatments and vaccines.

Other threat groups are making no such concessions, with several manual ransomware threat actors choosing the COVID-19 pandemic as the perfect time to deploy ransomware to cause maximum disruption.

Microsoft reports that the operators of 10 ransomware variants deployed their ransomware payloads during the first two weeks of April, after compromising the victim’s systems several months previously. Microsoft suggests several steps that should be taken to improve security and advises organizations to conduct investigations to determine if their systems have already been compromised, as it may be possible to identify attacks in progress before ransomware is deployed.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of