AmerisourceBergen sign

Pharmaceutical distributor AmerisourceBergen confirmed that hackers compromised the IT system of one of its subsidiaries after threat actors began leaking allegedly stolen data.

AmerisourceBergen is a pharmaceutical product distributor, medical business consultant, and patient services provider. The company is a giant in the healthcare industry, employing 42,000 people and operating multiple distribution centers in the United States, Canada, and the UK, with 150 offices worldwide.

As first reported by security researcher Dominic Alvieri, the Lorenz ransomware gang ended a lengthy period of silence by listing AmerisourceBergen and their allegedly stolen data on its extortion site.

AmerisourceBergen confirmed the attack to BleepingComputer, stating that the intrusion was contained and they are investigating whether the incident has resulted in the compromise of sensitive data.

The complete statement from AmerisourceBergen is shared below:

“AmerisourceBergen’s internal investigation quickly identified that a subsidiary’s IT system was compromised. We immediately engaged the appropriate teams to limit the intrusion, contained the disruption and took precautionary measures to ensure all systems were and are now clear of any intrusions.”

“This was an isolated incident and we are in the process of investigating to determine whether any sensitive data was compromised. We take our responsibility to protect data very seriously and continue to secure and strengthen our networks to prevent any future issues.” - AmerisourceBergen.

The Lorenz ransomware group has posted all files allegedly stolen from AmerisourceBergen and MWI Animal Health, presumably the subsidiary that was breached.

The threat actors set the post date to November 1, 2022, even though the files were published just now, which might indicate that the breach happened a couple of months back.

Amerisource listed on Lorenz
AmerisourceBergen listed on Lorenz (BleepingComputer)

It is important to note that while the leaked files appear genuine, AmerisourceBergen has not yet confirmed these files were stolen from its networks.

Lorenz ransomware operators were recently observed using critical flaws in Mitel telephony systems to gain access to corporate networks. The threat actors then lay low for several months until they are ready to use the deployed backdoor for data exfiltration and encrypt files.

Although Lorenz isn’t the most prolific threat group in the ransomware space, its attacks have a major impact due to targeting large firms.

A notable example from last year was an attack against the multinational defense contractor Hensoldt that resulted in the exfiltration of internal documents.

Related Articles:

Largest US addiction treatment provider notifies patients of data breach

Ransomware gang leaks data stolen in Rhode Island's RIBridges Breach

Casio says data of 8,500 people exposed in October ransomware attack

The biggest cybersecurity and cyberattack stories of 2024

Ascension: Health data of 5.6 million stolen in ransomware attack