Incident Report

Double Threat: Examining Henry Schein’s Second Attack In 2 Weeks

By

By

Access Point Consulting

Overview

Henry Schein, a Fortune 500 healthcare company, faced a severe cybersecurity incident, falling prey to the 'BlackCat/ALPHV' ransomware gang for the second time in a month. The most recent attack, detected on November 22, targeted critical systems, causing disruptions to the organization's applications and e-commerce platform. This recurrence underscores the persistence posed by the threat actor, necessitating a comprehensive response to safeguard the company's operations and sensitive data.

The BlackCat ransomware gang compromised Henry Schein's network, utilizing a method not yet explicitly disclosed in available information. However, the modus operandi may include phishing emails, compromised servers, or other sophisticated techniques. The organization likely became aware of the incident through anomalies in the network and unauthorized access, triggering an in-depth investigation into the nature and extent of the compromise.

The attack resulted in significant disruptions to Henry Schein's operations, particularly affecting applications and the e-commerce platform. The threat actor BlackCat claimed responsibility for the breach, asserting that they had stolen a substantial 35 terabytes of critical data. The potential compromise of sensitive information raises concerns regarding regulatory compliance, data integrity, and the company's reputation in the healthcare sector.

Response and Recovery

In response to the incident, Henry Schein promptly took critical applications offline to contain the threat and prevent further propagation. The organization communicated transparently with stakeholders, providing updates on the situation. The threat actors, however, claimed to have re-encrypted the company's devices during a restoration attempt, following a breakdown in negotiations with Henry Schein's team at the end of October. The attackers threatened to release internal payroll data and shareholder folders, heightening the urgency of the response.

The company has successfully restored its U.S. e-commerce platform, marking progress in the recovery phase. However, challenges persist, particularly with the potential release of sensitive data by the threat actors. The expected downtime and the overall impact on business operations remain uncertain, requiring ongoing efforts to restore affected systems and ensure business continuity.

Mitigation

To fortify defenses against ransomware attacks like this, organizations are advised to undertake the following measures:

Conduct a comprehensive review of the organization's cybersecurity infrastructure, identifying weaknesses and vulnerabilities. Implement advanced threat detection systems capable of identifying and mitigating evolving threats like BlackCat. Enhance data encryption protocols and access controls to protect sensitive information from unauthorized access. Invest in ongoing employee training and awareness programs to foster a security-conscious culture within the organization. The incident serves as a crucial learning opportunity, emphasizing the importance of adapting security practices, collaborating with cybersecurity experts, implementing proactive measures, and strictly avoiding ransom payments to discourage criminal activities and protect the integrity of organizational data and systems.

Recommendations

Access Point recommends that organizations:

  1. Implement advanced threat detection systems, conduct regular security audits, and fortify network defenses to guard against known threats like BlackCat.
  2. Invest in comprehensive training programs to educate employees on identifying and mitigating phishing attempts, a common vector for ransomware attacks.
  3. Regularly update and test incident response plans to ensure the organization is well-prepared to handle and recover from cybersecurity incidents.
  4. Establish collaborations with law enforcement agencies to effectively address cyber threats and enhance the overall cybersecurity posture.
  5. Emphasize a strict policy against paying ransoms, as succumbing to ransom demands not only funds criminal activities but also does not guarantee the recovery of compromised data or systems.
Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more