BlackCat/ALPHV ransomware operation has threatened to leak Henry Schein’s data stolen during an apparent ransomware attack.
The Russian-linked ransomware gang listed Henry Schein on its data leak site two weeks after the healthcare giant disclosed a cyber attack that disrupted operations on October 14.
Based in Melville, New York, Henry Schein is a healthcare solutions provider with over 300 products and a customer base of over 1 million. The Fortune 500 Company employs over 23,000 workers in 33 countries and earned $12.6 billion in revenue in 2022.
Apparent ransomware attack disrupted Henry Schein’s operations
Henry Schein had taken certain systems offline to contain the apparent ransomware attack, negatively impacting a significant portion of its manufacturing, manufacturing, and distribution business.
“Henry Schein promptly took precautionary action, including taking certain systems offline and other steps intended to contain the incident, which has led to temporary disruption of some of Henry Schein’s business operations. The Company is working to resolve the situation as soon as possible,” the company stated.
The ransomware attack forced customers to place orders via Henry Schein representatives or telesales phone numbers. However, it never affected the Henry Schein One practice management software website.
Henry Schein notified relevant law enforcement authorities and engaged external cyber experts to assess the incident.
“The Company has engaged outside cybersecurity and forensic information technology experts to help investigate any data impact and respond to this situation. Henry Schein also has notified relevant law enforcement authorities,” the company stated.
However, the company did not disclosed whether the system outage resulted from a BlackCat ransomware attack.
Second ransomware attack after negotiations stalled
BlackCat ransomware encrypted Henry Schein’s devices again after ransom negotiations collapsed.
“Despite ongoing discussions with Henry’s team, we have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network,” said the ransomware gang.
The group disclosed it had spent an “extensive period of time” in the company’s network, deployed advanced tools, and exfiltrated a significant amount of data.
The BlackCat ransomware group claims it stole 35 terabytes of data and threatened to publish it online if Henry Schein refused to pay an undisclosed ransom amount.
“As of midnight today, a portion of their internal payroll data and shareholder folders will be published on our collections blog. We will continue to release more data daily,” said BlackCat.
The group accused Henry Schein’s negotiators of lacking commitment and “buying more time, as they have been from the beginning.” Shortly after, the ALPHV ransomware gang removed Henry Schein from the leak site, suggesting a new wave of ransom negotiations.
Steve Hahn, Executive VP at BullWall, highlighted the ability of a sophisticated threat actor to infiltrate a highly secured network.
“… That a Fortune 500 company, with the most targeted data on earth (healthcare records), couldn’t stop a ransomware attack despite having the funds to utilize every best-of-breed security tool on earth,” Hahn noted. “They no doubt had the best in next-gen EDRs, Gateways, Firewalls, SIEMs, and Orchestration tools, yet all the prevention in the world won’t stop a persistent modern-day threat actor.”
“All they need is one foothold- a shadow IT device somebody forgot to decommission that hasn’t been patched or managed, an IoT device, a malicious or incompetent user, even a compromised personal device from an employee who accesses the company network,” added Hahn.
Between November 2021 and March 2022, BlackCat had compromised over 60 organizations worldwide, according to a Flash alert by the FBI’s Cyber Division and the Cybersecurity and Infrastructure Security Agency (CISA).
Henry Schein never disclosed the attack vector exploited, but BlackCat ransomware leverages compromised user credentials to gain access to Active Directory accounts.
Post exploitation, it leverages Cobalt Strike, PowerShell scripts, Windows administrative tools, and Microsoft Sysinternals. The group is among the first advanced persistent threat actors to use the Rust programming language.