American Associated Pharmacies (AAP), a Scottsboro, Ala.-based pharmacy network overseeing over 2,000 independent pharmacies, suffered a ransomware attack by the Embargo group. Hackers stole 1.4 TB of data, including protected health information (PHI) and clinical laboratory testing records, encrypting files and demanding $1.3 million for decryption. AAP reportedly paid the initial ransom, but Embargo later demanded an additional $1.3 million to prevent data leakage. The attack disrupted API Warehouse operations, forcing password resets for APIRx.com and RxAAP.com. The breach exposed thousands of patients’ medical and account details, with potential long-term risks of identity theft and fraud. The incident follows similar attacks on Memorial Hospital (Georgia) and Weiser Memorial Hospital (Idaho), highlighting Embargo’s sophisticated EDR-killer toolkit and double-extortion tactics (encryption + data leak threats).
Source: https://www.darkdaily.com/2024/12/02/american-associated-pharmacies-struck-by-ransomware-attack/
TPRM report: https://www.rankiteo.com/company/rxaap
"id": "rxa1362213091025",
"linkid": "rxaap",
"type": "Ransomware",
"date": "12/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'healthcare',
'location': 'Scottsboro, Alabama, USA',
'name': 'American Associated Pharmacies (AAP)',
'size': 'over 2,000 independent pharmacies served',
'type': 'pharmacy network'},
{'industry': 'healthcare/pharmacy',
'location': 'USA',
'name': 'API Warehouse (subsidiary of AAP)',
'size': '2,500+ SKUs in inventory',
'type': 'wholesale purchasing platform'},
{'industry': 'healthcare',
'location': 'Bainbridge, Georgia, USA',
'name': 'Memorial Hospital and Manor',
'size': '80-bed hospital + 107 long-term care beds',
'type': 'community hospital and long-term care '
'facility'},
{'industry': 'healthcare',
'location': 'Weiser, Idaho, USA',
'name': 'Weiser Memorial Hospital',
'type': 'critical access hospital'}],
'attack_vector': ['endpoint detection and response (EDR) killer toolkit',
'data exfiltration',
'file encryption'],
'customer_advisories': ["'Important Notice' on AAP website regarding limited "
'ordering capabilities'],
'data_breach': {'data_encryption': 'files encrypted by ransomware',
'data_exfiltration': '1.4 TB of data stolen',
'personally_identifiable_information': 'likely (PHI includes '
'PII)',
'sensitivity_of_data': 'high (includes PHI and medical '
'records)',
'type_of_data_compromised': ['protected health information '
'(PHI)',
'clinical laboratory testing '
'data',
'medical records',
'account details',
'prescription data']},
'description': 'American Associated Pharmacies (AAP), a major pharmacy '
'network overseeing over 2,000 independent pharmacies, was '
"struck by a ransomware attack by the group 'Embargo.' The "
'attackers stole 1.4 TB of data, encrypted files, and '
'initially demanded $1.3 million for decryption. After AAP '
'allegedly paid the ransom, Embargo demanded an additional '
'$1.3 million to prevent public disclosure of the stolen data. '
'The attack disrupted AAP’s API Warehouse subsidiary, leading '
'to limited ordering capabilities and a password reset for all '
'users. Embargo is described as a sophisticated, opportunistic '
'group with a history of targeting healthcare entities, '
'including Memorial Hospital and Manor (Georgia) and Weiser '
'Memorial Hospital (Idaho).',
'impact': {'brand_reputation_impact': 'high (potential exposure of sensitive '
'patient data, public ransom demands)',
'data_compromised': ['1.4 TB of data (including protected health '
'information - PHI)',
'medical records',
'account details',
'prescription data'],
'downtime': ['limited ordering capabilities restored (partial '
'recovery)',
'four-week outage at Weiser Memorial Hospital '
'(related attack)'],
'identity_theft_risk': 'high (PHI and account details compromised)',
'operational_impact': ['switch to paper-based systems (in related '
'attacks)',
'disruption of pharmacy order processing'],
'systems_affected': ['API Warehouse ordering system (APIRx.com)',
'RxAAP.com',
'email systems (in related attacks)',
'electronic medical record (EHR) systems (in '
'related attacks)']},
'initial_access_broker': {'data_sold_on_dark_web': 'likely (Embargo threatens '
'to publish data if '
'additional ransom is not '
'paid)',
'high_value_targets': ['protected health '
'information (PHI)',
'clinical laboratory data',
'prescription records']},
'investigation_status': 'ongoing (no official confirmation or detailed report '
'from AAP)',
'lessons_learned': 'Healthcare entities, including clinical laboratories and '
'pharmacies, must proactively upgrade cybersecurity '
'defenses to protect against sophisticated ransomware '
'groups like Embargo. Regular security assessments, '
'endpoint detection improvements, and employee training '
'are critical to mitigating risks of PHI exposure and '
'operational disruptions.',
'motivation': 'financial gain (ransom extortion)',
'post_incident_analysis': {'root_causes': ['Likely exploitation of '
'vulnerabilities in endpoint '
'detection systems (EDR bypassed '
'via toolkit).',
'Potential lack of network '
'segmentation allowing lateral '
'movement.',
'Possible phishing or credential '
'theft enabling initial access.']},
'ransomware': {'data_encryption': 'yes (files encrypted)',
'data_exfiltration': 'yes (1.4 TB of data stolen)',
'ransom_demanded': '$1.3 million (initial) + $1.3 million '
'(additional for data suppression)',
'ransom_paid': '$1.3 million (allegedly paid for decryption, '
'unconfirmed by AAP)',
'ransomware_strain': 'Embargo'},
'recommendations': ['Implement multi-factor authentication (MFA) for all '
'systems handling PHI.',
'Enhance endpoint detection and response (EDR) '
'capabilities to counter tools like those used by '
'Embargo.',
'Conduct regular security audits and penetration testing '
'to identify vulnerabilities.',
'Develop and test incident response plans specific to '
'ransomware and double extortion scenarios.',
'Educate employees on phishing and social engineering '
'tactics to prevent initial access by threat actors.',
'Segment networks to limit lateral movement by attackers.',
'Maintain offline, encrypted backups to enable recovery '
'without paying ransom.',
'Monitor dark web and threat intelligence feeds for signs '
'of stolen data being sold or leaked.'],
'references': [{'source': 'The Register'},
{'source': 'HIPAA Journal'},
{'source': 'HealthcareInfoSecurity (interview with Mike '
'Hamilton, CISO of Critical Insight)'},
{'source': 'ESET (research on Embargo ransomware)'},
{'source': 'The Cyber Express (Memorial Hospital attack)'},
{'source': 'Dark Daily (multiple articles on healthcare '
'cyberattacks)'},
{'source': 'Reuters (Change Healthcare/BlackCat attack)'}],
'regulatory_compliance': {'regulations_violated': ['potential HIPAA '
'violations (PHI '
'compromised)']},
'response': {'communication_strategy': ["'Important Notice' posted on AAP "
'website',
'no official public statement on '
'breach'],
'containment_measures': ['password reset for all users on '
'APIRx.com and RxAAP.com',
'partial restoration of ordering '
'capabilities'],
'incident_response_plan_activated': 'likely (password resets '
'implemented)',
'recovery_measures': ['limited ordering capabilities restored '
'for API Warehouse']},
'stakeholder_advisories': ['password reset notice for APIRx.com and RxAAP.com '
'users'],
'threat_actor': 'Embargo (ransomware group)',
'title': 'American Associated Pharmacies Ransomware Attack by Embargo',
'type': ['ransomware', 'data breach', 'double extortion']}