Double Threat: Examining Henry Schein’s Second Attack In 2 Weeks

Overview

Henry Schein, a Fortune 500 healthcare company, faced a severe cybersecurity incident, falling prey to the 'BlackCat/ALPHV' ransomware gang for the second time in a month. The most recent attack, detected on November 22, targeted critical systems, causing disruptions to the organization's applications and e-commerce platform. This recurrence underscores the persistence posed by the threat actor, necessitating a comprehensive response to safeguard the company's operations and sensitive data.

The BlackCat ransomware gang compromised Henry Schein's network, utilizing a method not yet explicitly disclosed in available information. However, the modus operandi may include phishing emails, compromised servers, or other sophisticated techniques. The organization likely became aware of the incident through anomalies in the network and unauthorized access, triggering an in-depth investigation into the nature and extent of the compromise.

The attack resulted in significant disruptions to Henry Schein's operations, particularly affecting applications and the e-commerce platform. The threat actor BlackCat claimed responsibility for the breach, asserting that they had stolen a substantial 35 terabytes of critical data. The potential compromise of sensitive information raises concerns regarding regulatory compliance, data integrity, and the company's reputation in the healthcare sector.

Response and Recovery

In response to the incident, Henry Schein promptly took critical applications offline to contain the threat and prevent further propagation. The organization communicated transparently with stakeholders, providing updates on the situation. The threat actors, however, claimed to have re-encrypted the company's devices during a restoration attempt, following a breakdown in negotiations with Henry Schein's team at the end of October. The attackers threatened to release internal payroll data and shareholder folders, heightening the urgency of the response.

The company has successfully restored its U.S. e-commerce platform, marking progress in the recovery phase. However, challenges persist, particularly with the potential release of sensitive data by the threat actors. The expected downtime and the overall impact on business operations remain uncertain, requiring ongoing efforts to restore affected systems and ensure business continuity.

Mitigation

To fortify defenses against ransomware attacks like this, organizations are advised to undertake the following measures:

Conduct a comprehensive review of the organization's cybersecurity infrastructure, identifying weaknesses and vulnerabilities. Implement advanced threat detection systems capable of identifying and mitigating evolving threats like BlackCat. Enhance data encryption protocols and access controls to protect sensitive information from unauthorized access. Invest in ongoing employee training and awareness programs to foster a security-conscious culture within the organization. The incident serves as a crucial learning opportunity, emphasizing the importance of adapting security practices, collaborating with cybersecurity experts, implementing proactive measures, and strictly avoiding ransom payments to discourage criminal activities and protect the integrity of organizational data and systems.

Recommendations

Access Point recommends that organizations:

1. Implement advanced threat detection systems, conduct regular security audits, and fortify network defenses to guard against known threats like BlackCat.
2. Invest in comprehensive training programs to educate employees on identifying and mitigating phishing attempts, a common vector for ransomware attacks.
3. Regularly update and test incident response plans to ensure the organization is well-prepared to handle and recover from cybersecurity incidents.
4. Establish collaborations with law enforcement agencies to effectively address cyber threats and enhance the overall cybersecurity posture.
5. Emphasize a strict policy against paying ransoms, as succumbing to ransom demands not only funds criminal activities but also does not guarantee the recovery of compromised data or systems.