- Global biotech company Miltenyi Biotec disclosed "isolated cases where order processing was impaired by malware" in its IT infrastructure in the last two weeks, according to a company announcement.
- Germany-based Miltenyi, which is aiding in coronavirus research, has been able to contain and recover the affected systems. "Based on our current knowledge, we have no indication that the malware has been inadvertently distributed to customers or partners," the company said.
- Operations are restored and the company does not expect delays in manufacturing or distributing orders.
Miltenyi didn't say what malware strain it found in its systems, but ransomware has been particularly devastating in the healthcare industry this year. Of the ransomware attacks tracked by Cybersecurity Dive between Dec. 31, 2019 and September 2020, 39% targeted healthcare.
"The group behind Mount Locker ransomware claimed to have breached Miltenyi Biotec on Nov. 3," said Allan Liska, senior security architect at Recorded Future. "Unfortunately, healthcare providers continue to be a prime target for ransomware actors as the pandemic rages."
Mount Locker appeared in July and follows the same threat model pioneered by Maze, publicly disclosing data if a ransom isn't paid, according to Bleeping Computer. "Mount Locker uses ChaCha20 to encrypt the files and an embedded RSA-2048 public key to encrypt the encryption key," security researchers told the publication. The strain adds .ReadManual.ID extensions to files so when a user engages with a file, the ransom note — named RecoveryManual.html — is loaded.
In October, the FBI, Department of Homeland Security and Department of Health and Human Services, warned the healthcare industry of a widespread ransomware threat, likely the Ryuk or Conti strains. In details concerning tactics, techniques, and procedures for Conti, Trickbot and BazarLoader, CISA included more indicators of compromise and YARA Rules for Trickbot detection.
While CISA initially extended support for the healthcare industry when COVID-19 hit stateside through Operation Warp Speed, the supply chain is complex and smaller players don't have the IT and security support for sufficient prevention.
Miltenyi's containment is following a theme among those struck by cyberattacks. "A lot of us saw the press or some of the really nasty, destructive attacks," said Mike Towers, CISO at Takeda Pharmaceuticals, while speaking on a panel during Druva's virtual Cloud Data Protection Summit on Tuesday. And while downtime is a primary focus, "the cyber containment part was the shortest part and recovery was the longest part."