AmerisourceBergen data breach: Lorenz ransomware gang claims attack on pharma giant

American pharmaceutical sourcing and distribution services company AmerisourceBergen suffered a significant data breach that involved the Lorenz ransomware gang stealing data from its network and leaking it online.

Operating multiple distribution centers in the United States, Canada, and the UK, the pharmaceutical and healthcare giant has over 42,000 employees distributed across 150 offices worldwide.

The breach was first identified by security researcher Dominic Alvieri. He said in a tweet that the Lorenz ransomware gang resurfaced by targeting the pharmaceutical company after laying low for a while. “AmerisourceBergen subsidiary is being accessed through a Lorenz back door,” he tweeted.

 

The files posted by the Lorenz gang belonged to AmerisourceBergen and MWI Animal Health, a subsidiary whose internal network was infiltrated by the threat actor. While the files were published recently, the threat actor’s post dates back to November 1, 2022, indicating that the security incident took place a few months ago.

“Initial entry appears to be May of 2022 while additional data was exfiltrated last week a few days before the new backdated post,” Alvieri tweeted.

AmerisourceBergen has acknowledged the security incident and has launched an investigation to understand the nature and scope of the cyber attack.

“AmerisourceBergen’s internal investigation quickly identified that a subsidiary’s IT system was compromised. We immediately engaged the appropriate teams to limit the intrusion, contained the disruption, and took precautionary measures to ensure all systems were and are now clear of any intrusions.

“This was an isolated incident and we are in the process of investigating to determine whether any sensitive data was compromised. We take our responsibility to protect data very seriously and continue to secure and strengthen our networks to prevent any future issues,” the company said.

Though the pharmaceutical giant has confirmed the data breach, it is yet to confirm the authenticity of the data published by the threat actor and whether it has indeed been stolen from its network.

The Lorenz ransomware gang is relatively new, having first surfaced in February 2021. According to Cybereason, the gang targets victims mostly in English-speaking countries and demands hundreds of thousands of dollars, and even millions in ransom fees. It is believed to be a rebranded version of the “.sZ40” ransomware that was discovered in October 2020.

The security firm adds that the ransomware gang quickly disappeared from the scene after No More Ransom, a joint project by law enforcement agencies, including Europol’s European Cybercrime Centre, released a decrypter for free for all affected victims.