Blog details

Understanding the Pharmaceutical Threat Landscape

The whole world is fighting the spread of COVID-19 and working to return to the lives we had before. Pharmaceutical and medical research teams in different countries are busy searching for a solution to win the battle against the virus. However, cybercriminals and threats don’t rest, even in an international crisis. 

Our partners over at Blueliv have released a great report Sounding the Pharma Alarma covering a sampling of these threats, giving details on threat actors, tools and TTPs, and offering some recommendations on how to mitigate these risks in order to be able to focus on the common threat at the moment: COVID-19.  In this blog, we’ll highlight some of the key threats they are seeing targeting the Pharmaceutical industry right now. We’ll cover other aspects of the report in future blogs. To download a full copy of the report, click here.

Threats to the Pharmaceutical Industry

Pharmaceutical companies experience many of the same threats as their peers in other industries, with the threat actors behind ransomware attacks and business email compromise (BEC) schemes targeting largely indiscriminately. Intellectual property (IP) theft, both at the hands of nation-state hacking collectives as well as unethical competitors is of particular concern for an industry where research and development of drugs can take decades.

Targeted Ransomware

Organizations continue to feel the squeeze of ransomware, and the pharmaceutical industry is no exception. While the period of rampant and widespread ransomware infections that characterized 2017 appears to be behind us, cybercriminals have continued to deploy ransomware in increasingly targeted and potent ways. The past few years have seen the rise in ransomware gangs engaging in “big game hunting,” a term used to describe the technique of electing to go after large targets with the means to pay exorbitant ransoms. This means that any big business, in any industry, is an enticing target to cybercriminals.

Double extortion is another ransomware innovation, popularized in 2019. In these cases, ransomware gangs both steal and encrypt data at the compromised entity. Should the victim decline to pay the ransom, the attackers threaten to publicly publish the stolen information, thereby upping the ante for security teams. Double extortion represents a particularly tricky situation for pharmaceutical companies, as they are often the bearers of a tremendous wealth of sensitive information. As an example, this is what happened to ExecuPharm in March 2020 following an attack by TA505 that utilized Clop ransomware.


Threat actors have been stealing data and using it to extort victims for years, even before the prevalence of ransomware. As stated, the sensitivity of the information held by pharmaceutical companies makes it even more critical to keep control of this data. There are known instances of threat actors compromising organizations, stealing data, and then holding it ransom in hopes of receiving a large payout. For example, the prolific cyber extortionist TheDarkOverlord engaged in various extortion schemes like this that targeted healthcare entities such as dental and medical offices as recently as 2017.

Intellectual Property Theft

That sensitive information is not just useful to cybercriminals hoping to ransom it for money. Nation-state threat groups and perhaps even unethical competitors also have their eyes on this prize. For instance, Chinese nation-state hackers are known to target US pharmaceutical companies. Researchers believe that information stolen in these incidents is likely passed on to Chinese companies in order to try to gain an advantage against their US-based competitors. The amount of time and research that goes into researching and developing new pharmaceuticals makes such IP theft particularly menacing. In the current context of COVID-19, this may mean targeting information such as proprietary manufacturing processes, formulas, recipes, or data from clinical trials related to the development of a vaccine or other medical mitigation measures.

Business Email Compromise (BEC)

Threats need not all be nation-state hacking and sophisticated ransomware gangs, however. Schemes involving BEC are becoming increasingly savvy and lucrative. Researchers at the FBI’s Internet Crime Complaint Center (IC3) found than in 2019 alone, BEC schemes accounted for $1.77 billion USD in losses, up from $1.3 billion in 2018.  In a typical BEC scheme, emails belonging to high profile figures at an organization may be stolen or spoofed in order to dupe other employees into trusting the veracity of an order to carry out a large money transfer or some other similar task. The money or other assets (sometimes, for examples, gangs request gift cards) are – unknowingly to the victim carrying out the task – directed into cybercriminal hands. Phishing attacks and BEC activities against the pharmaceutical sector jumped 129% in 2018 according to researchers at Proofpoint, underscoring the increasing prevalence of this threat.

In our next blog, we’ll look at the key threat actors targeting the Pharmaceutical industry. Can’t wait? Click here and download the full report today!