- American Associated Pharmacies is said to have fallen prey to a ransomware attack
- The attackers say the company paid for the decryptor
- The group asks for more money to keep the stolen files private
American Associated Pharmacies (AAP) joins the growing list of US healthcare organizations that have suffered a ransomware attack.
Following the example of Change Healthcare, Henry Schein, CommonSpirit and many others, AAP appears to have suffered the classic double whammy: sensitive data stolen and systems encrypted.
A report from The registry claims that the company has not yet made an official statement about the attack, only forcibly resetting passwords for all its users and notifying them of the change.
Say hello to Embargo
“All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing login credentials are no longer valid for accessing the sites,” the company said in a brief announcement. “Click ‘forgot your password’ on the login screen and follow the prompts to reset your password.”
At the same time, the group that took responsibility for the attack is called Embargo. You can be excused for not hearing about them as they are a relatively new group. ESET appears to have been the first to spot the new actor, when it used endpoint detection and response (EDR) tools to drop its payload last June. The group was also observed using a Rust-based ransomware kit.
New or not, Embargo claims to have stolen nearly 1.5 TB of sensitive data. It also claims that AAP paid $1.3 million to have its systems restored, and that it must pay another $1.3 million to keep the stolen files off the dark web.
We don’t know what kind of documents Embargo stole from the company, but if the Change Healthcare attack was any indication, they could be highly classified information whose leaks could lead to class action lawsuits and regulatory pressure.
We have reached out to AAP with additional questions and will report back if we hear back.