Ransomware feared as IT ‘issues’ force Octapharma Plasma to close 150+ centers

Octapharma Plasma has blamed IT “network issues” for the ongoing closure of its 150-plus centers across the US. It’s feared a ransomware infection may be the root cause of the medical firm’s ailment.

“All centers are experiencing network issues and are currently closed,” according to a  banner across the top of the company’s website. 

One source familiar with the situation, however, told The Register Octapharma Plasma fell to a BlackSuit ransomware infection on Monday. We’re told the downtime stateside will affect supplies of plasma into Octapharma’s European operations.

“If they don’t restore the systems, they will need to close their factories in Europe as more than 75 percent of their plasma comes from the US,” the source told us. “IT management don’t give a s*** about security and they are now learning a lesson.”

Frontier cyberattack

Meanwhile, US ISP Frontier’s internal systems suffered an outage this week, taking down its support desk, payment systems, and its ability to send out technicians to install and repair subscribers’ connections. While the internet provider was silent on the cause and extent of the breakdown, it told the SEC today “a third party had gained unauthorized access to portions of its information technology environment,” and the ISP was trying to contain the intrusion.

“The containment measures, which included shutting down certain [parts] of the company’s systems, resulted in an operational disruption,” the biz admitted. It also said the intruders likely got hold of people’s personal information, and it is in the process of recovering from the cyberattack. Again, this may be another ransomware infection.

Octapharma Plasma, which operates more than 150 blood plasma donation centers across America and claims to employ more than 3,500 people nationally, did not respond to The Register‘s inquiries.

“Further updates on reopening will be sent via email, social media, OctaApp, and our website,” Octapharma noted on its website today.

Parent company Octapharma Group, which is based in Germany and has operations across 118 countries, boasted operating income of €436 million ($464 million) in 2023, with record-setting sales of €3.266 billion ($3.48 billion).

The criminals broke into the plasma giant’s VMware systems before deploying the BlackSuit ransomware, our source claimed.

BlackSuit is a relatively new strain of ransomware, which shares code with Royal — and may even be a rebrand of that particular crew. And Royal was a successor to Conti, after the notorious Russian crew disappeared in June 2022.

In November, the US Department of Health and Human Services warned [PDF] that BlackSuit was aggressively targeting healthcare and public health organizations using double-extortion tactics: First stealing sensitive files and then encrypting the data on compromised networks before demanding a ransom payment.

Our source close to the alleged Octapharma infection didn’t know if any extortionists had made any ransom demand, or if the company was negotiating with a crew. We’re told the FBI has been alerted, and we’ve asked the federal bureau for comment.

If it does turn out to be ransomware, Octapharma will join a growing list of US hospitals, health centers and medical firms that have been hit so far this year, as criminals increasingly target these critical orgs. 

Encrypting hospital and pharmacy systems with malware may prevent patients from accessing life-saving treatments and medications. Plus, patients and donors trust healthcare companies to protect their sensitive medical and financial details, which puts these providers at risk of class-action lawsuits and investigations if they breach that trust and allow protected information to leak.

All of this means that the healthcare sector, when facing extortion demands, is more likely to pay a ransom. And that makes the entire industry a prime target for financially motivated crime gangs that have been using increasingly vile extorion tactics to force medical facilities to pay up. ®

Speaking of ransomware…

The FBI, CISA, Europol’s European Cybercrime Centre, and the Netherlands’ National Cyber Security Centre today released an advisory on the Akira ransomware strain. We’re told the malware’s masterminds get into organizations “mostly using known Cisco vulnerabilities.” The government agencies have issued advice and further information on securing networks from the ransomware and detecting intrusions.

READ MORE HERE