Clop Ransomware Leaks Stolen Data from U.S. Pharma Firm ExecuPharm After Failed Negotiations
The Clop ransomware group has published sensitive data stolen from ExecuPharm, a U.S.-based contract research organization (CRO) serving the pharmaceutical industry, after ransom negotiations collapsed. The attack, disclosed by ExecuPharm in a data breach notification filed with Vermont’s Attorney General, occurred on March 13, 2020, following a successful spearphishing campaign targeting employees.
ExecuPharm, which employs over 18,000 clinical specialists globally, confirmed that attackers encrypted its servers and demanded a ransom in exchange for decryption. The company restored affected systems from backups but refused to pay, prompting Clop to leak the stolen data on its dark web portal. According to Clop, negotiations initially progressed including a 20% discount on the ransom but stalled when ExecuPharm allegedly ceased communication.
The leaked data includes 19,000 employee emails (from ExecuPharm and its parent company, Parexel), 80,000+ email correspondences, and 163GB of sensitive documents, such as financial records, accounting files, and SQL backups of the company’s document management system. Compromised personal information encompasses Social Security numbers, passport details, bank account numbers, credit card data, and national ID numbers, raising risks of identity theft and fraud.
ExecuPharm reported the incident to U.S. law enforcement and engaged third-party cybersecurity firms to investigate. The company has since implemented enhanced security measures, including forced password resets, multi-factor authentication (MFA) for remote access, and advanced endpoint protection tools.
Clop has targeted other high-profile organizations, including Maastricht University, which paid a 30 Bitcoin ransom in February 2020 after a similar spearphishing attack. The group claims to avoid attacking hospitals, charities, and pharmaceutical firms involved in COVID-19 vaccine or drug development, offering free decryption to the latter if they provide proof of their work. However, Clop has previously listed and later removed other pharmaceutical companies from its leak site.
Parexel TPRM report: https://www.rankiteo.com/company/parexelfsp
ExecuPharm TPRM report: https://www.rankiteo.com/company/execupharm
"id": "exepar1769742071",
"linkid": "execupharm, parexelfsp",
"type": "Ransomware",
"date": "3/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Pharmaceutical',
'location': 'U.S.',
'name': 'ExecuPharm',
'size': '18,000+ employees globally',
'type': 'Contract Research Organization (CRO)'}],
'attack_vector': 'Spearphishing',
'data_breach': {'data_encryption': 'Yes (servers encrypted by ransomware)',
'data_exfiltration': 'Yes (163GB of sensitive documents '
'leaked)',
'file_types_exposed': ['Emails',
'Financial records',
'Accounting files',
'SQL backups'],
'number_of_records_exposed': '19,000 employee emails, 80,000+ '
'email correspondences',
'personally_identifiable_information': 'Social Security '
'numbers, passport '
'details, bank account '
'numbers, credit card '
'data, national ID '
'numbers',
'sensitivity_of_data': 'High (Social Security numbers, '
'passport details, bank account '
'numbers, credit card data, national '
'ID numbers)',
'type_of_data_compromised': ['Employee emails',
'Email correspondences',
'Financial records',
'Accounting files',
'SQL backups',
'Personal identifiable '
'information']},
'date_detected': '2020-03-13',
'description': 'The Clop ransomware group published sensitive data stolen '
'from ExecuPharm, a U.S.-based contract research organization '
'(CRO) serving the pharmaceutical industry, after ransom '
'negotiations collapsed. The attack occurred on March 13, '
'2020, following a spearphishing campaign targeting employees. '
'ExecuPharm restored systems from backups but refused to pay '
'the ransom, leading to the data leak.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': '19,000 employee emails, 80,000+ email '
'correspondences, 163GB of sensitive documents '
'(financial records, accounting files, SQL '
'backups)',
'identity_theft_risk': 'High (Social Security numbers, passport '
'details, bank account numbers, credit card '
'data, national ID numbers)',
'operational_impact': 'Systems encrypted, restored from backups',
'payment_information_risk': 'High (credit card data, bank account '
'numbers)',
'systems_affected': 'Servers'},
'initial_access_broker': {'entry_point': 'Spearphishing'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Forced password resets, MFA '
'for remote access, advanced '
'endpoint protection tools',
'root_causes': 'Spearphishing attack'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_paid': 'No',
'ransomware_strain': 'Clop'},
'references': [{'source': 'Data breach notification filed with Vermont’s '
'Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'Filed data breach '
'notification with '
'Vermont’s Attorney '
'General'},
'response': {'containment_measures': 'Restored systems from backups',
'law_enforcement_notified': 'Yes (U.S. law enforcement)',
'recovery_measures': 'Systems restored from backups',
'remediation_measures': 'Forced password resets, multi-factor '
'authentication (MFA) for remote access, '
'advanced endpoint protection tools',
'third_party_assistance': 'Engaged third-party cybersecurity '
'firms'},
'threat_actor': 'Clop ransomware group',
'title': 'Clop Ransomware Leaks Stolen Data from U.S. Pharma Firm ExecuPharm '
'After Failed Negotiations',
'type': 'Ransomware'}