American Associated Pharmacies Hit by Embargo Ransomware

Incident Date: Nov 13, 2024

Attack Overview
VICTIM
American Associated Pharmacies
INDUSTRY
Transportation
LOCATION
USA
ATTACKER
Embargo
FIRST REPORTED
November 13, 2024

Ransomware Attack on American Associated Pharmacies by Embargo Group

American Associated Pharmacies (AAP), a cooperative supporting over 2,000 independent pharmacies across the United States, has recently fallen victim to a ransomware attack by the Embargo group. This incident underscores the vulnerabilities faced by organizations in the healthcare sector, particularly those with extensive networks and data repositories.

About American Associated Pharmacies

Established in 2009, AAP is a member-owned cooperative that emerged from the merger of United Drugs and Associated Pharmacies. The organization is headquartered in Scottsboro, Alabama, and employs approximately 130 people. AAP's primary mission is to enhance the profitability and operational efficiency of its member pharmacies through collective buying power and customized services. The cooperative's distribution subsidiary, Associated Pharmacies, Inc. (API), offers a wide range of pharmaceutical products and flexible purchasing options, making it a significant player in the industry.

Details of the Ransomware Attack

The Embargo ransomware group claims to have exfiltrated and encrypted 1.469 terabytes of data from AAP's systems. The attackers have set a ransom deadline for November 20, demanding an additional $1.3 million to prevent the publication of the stolen data, despite AAP allegedly having already paid $1.3 million for decryption keys. In response, AAP has taken steps to mitigate the impact, including restoring limited ordering capabilities on its API Warehouse platform and resetting user passwords across its sites.

Embargo Ransomware Group

First identified in May 2024, the Embargo group operates under a ransomware-as-a-service model, allowing affiliates to conduct attacks while sharing profits with the core group. They utilize Rust for developing their malware, which targets both Windows and Linux systems. Embargo employs a double-extortion tactic, encrypting data and threatening to publish it if the ransom is not paid. Their toolkit includes MDeployer, a loader for deploying ransomware, and MS4Killer, which disables endpoint detection and response systems.

Potential Vulnerabilities

The attack on AAP highlights the vulnerabilities inherent in organizations with extensive data networks and cooperative structures. The healthcare sector, in particular, is a lucrative target for ransomware groups due to the sensitive nature of the data involved. AAP's reliance on digital platforms for distribution and member services may have presented an attractive target for Embargo, which is known for exploiting security weaknesses in its victims' systems.

Sources

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.