Why ransomware groups are targeting pharma companies and the healthcare sector

From Dr. Reddy’s to the All India Institute of Medical Science (AIIMS), the pharma and healthcare sector have been experiencing an uptick in cyberattacks over the past few years. Image: Shutterstock

Just three months after a ransomware attack pulled down India’s largest drugmaker, Sun Pharmaceuticals, the threat actors went after another pharma company. Hyderabad-based Granules India was notified of a significant loss of revenue and profitability due to a cybersecurity attack in the last week of May.

This had a major effect on the operations of the business due to significant changes in IT systems and the time needed for meeting the regulatory expectations, qualifications, recertifications, and finetuning of quality and production systems, the paracetamol maker said in an exchange filing.

While the company has managed to restore production to near normalcy at present, there are backlogs and delays in the clearance of material for quality system approvals to dispatch the products for sale, it added.

The Russia-linked ransomware group LockBit has claimed accountability for the cyberattack and published portions of the data it allegedly stole. LockBit’s dark web leak site has leaked 50 percent of the data, and the rest is up for sale.

"Granules India is a company that does not know what cybersecurity and data protection are. During the pen test [penetration test] of its corporate network, we found more than 10 critical vulnerabilities that allowed access to its private data. Moreover, this company refused to protect the data of its employees, customers, partners, and investors in a case where it could and should have done so," said a note put out by the ransomware group on the dark web.

"As proof that we have infiltrated and encrypted this company's corporate network, below I attach a link where you can download 50 percent of the data we stole. The rest of the archive, along with information about vulnerabilities on this company's corporate network, is for sale," it added.

Also read: How women-owned businesses can protect themselves against cybercrime vulnerability
 
The drug maker’s data, which has been reviewed by Forbes India, was leaked on June 14, 2023, as they failed to comply with the ransom demand by LockBit Ransomware Group.

"Sensitive files of Granules India, including PII (passport) of employees, audit reports, annual budgeting, cyber risk proposals, finance, manufacturing product details, client information, insurance records, R&D, and more, are some of the data available on the dark web. There are many European clients, and hence, the General Data Protection Regulation (GDPR) would be taken seriously as this is a security incident. Many other clients are also from the US," says Rakesh Krishnan, a senior threat analyst at an IT company.  

Granules India declined to comment.  

The company, which is one of the largest Indian pharmaceutical manufacturers, reported an increase in net profit of eight percent to Rs 120 crore in the fourth quarter that ended March 31, compared with Rs 111 crore in the same period in 2022. Revenue for the company increased 16 percent to Rs 1,195 crore from Rs 1,030 crore last year. Founded in 1984, the company produces ibuprofen, paracetamol, metformin, guaifenesin, and methocarbamol, and has more than 300 customers in over 80 countries, as per data available on its website.

From Dr. Reddy’s to the All India Institute of Medical Science (AIIMS), the pharma and healthcare sector have been experiencing an uptick in cyberattacks over the past few years, especially post-Covid-19. These incidents have put a spotlight on the weak cybersecurity infrastructure in the industry.

Also read: How insurance-linked securities can improve cyber-security in India

According to Check Point Research, healthcare saw the highest number of attacks among all sectors in India, with an organisation in India being attacked 1,866 times per week on average in 2022. The top three most-attacked industries in India were healthcare, followed by education, research, government, and the military. The study also highlighted that global cyberattacks increased by 38 percent in 2022 compared to 2021.

In healthcare and pharma, organisations still have room to improve on how they deal with cyberattacks, given the consequences. When analysing crowdsourced data from over 200,000 infusion pumps, global cybersecurity company Palo Alto Networks found that about three-quarters of them had known security vulnerabilities. This despite a vast pool of knowledge on securing devices against these threat vectors. The need for zero downtime makes it hard to ensure timely security checks and maintenance. Exacerbating this, the usable lifespan of these devices far exceeds the supported period, leading to a hoard of outdated business-critical medical and pharmacological devices, explains Huzefa Motiwala, director for systems engineering, India and SAARC at Palo Alto Networks.

Cyberattackers are also more empowered today. The 2023 Ransomware and Extortion Report by Unit 42 found that harassment surged by 20 times in ransomware cases. The growing ubiquity of Ransomware as a Service (RaaS) groups has also lowered the technical bar. These factors explain the rise in the volume of attacks on healthcare and pharmaceuticals. Being a sector already predisposed to bad cyber hygiene and legacy IT infrastructure, emboldened cyber attackers are now willing to stoop lower for a quick payday.

Also read: 5 ways Indian medical administrations can boost hospital cyber-security

"Healthcare and pharmaceutical institutes must view cybersecurity as an ever-evolving wing of operations and use solutions that constantly adapt. They must deploy AI/ML-enabled solutions that analyse vast amounts of data, detect patterns, and identify potential threats. This enables real-time threat detection and automatic updates of threat intelligence," says Motiwala.

Pharma companies are cash-rich, and are willing to pay. And their growth is fast, says Pankit Desai, co-founder and CEO of cybersecurity firm Sequretek. Healthcare attacks, he adds, are driven to do two things. "One is to create dissatisfaction in the market space. So if AIIMS is down for one week and 10 days, imagine the brouhaha that happens because patients are not getting service. From your critical surgeries not getting done to patients lying in the hospitals who can't leave because you can't do your exit process. This, in turn, creates pressure for them to pay. The other part they go after is data. We don’t even have a data privacy law in place. For instance, if the medical history of any politician or businessman is leaked, that would directly impact their work. So if this kind of sensitive data is leaked, it becomes a huge problem."