Maze ransomware gang discloses data from drug testing firm HMR

Pierluigi Paganini April 08, 2020

The drug testing firm Hammersmith Medicines Research LTD (HMR), which performs live trials of Coronavirus vaccines, discloses a data breach.

Hammersmith Medicines Research LTD (HMR), a London-based company that carries out clinical trials for new medicines and that is on standby to perform live trials of Coronavirus vaccines, has suffered a data breach.

On March 21, the Maze ransomware operators published some of the stolen files on their “leak site,” after the refusal of the research firm of paying the ransom.

Stolen data included the personal information for volunteers who surnames begin with D, G, I, or J.  

“On Saturday 14 March 2020, HMR was subjected to a targeted and sophisticated attack by cyber criminals.  We took immediate action to stop the attack, but not before the attackers had stolen copies of some of our files.  A criminal group called Maze has claimed responsibility.” reads the data breach notification published by the company. “We’re sorry to report that, during 21–23 March 2020, the criminals published on their website records from some of our volunteers’ screening visits.  The website is not visible on the public web, and those records have since been taken down.  The records were from some of our volunteers with surnames beginning with D, G, I or J.  “

The records stolen by the hackers contained scanned copies of documents and results collected by the company at screening, including name, date of birth, identity documents (scanned passport, National Insurance card, driving licence and/or visa documents, and the photograph we took at the screening visit), plus health questionnaires, consent forms, information from GPs, and some test results (including, in a few cases only, positive tests for HIV, hepatitis, and drugs of abuse).

The attack took place on March 14th, 2020, when the Maze Ransomware operators exfiltrated data from the HMR’s network and then encrypt their systems.

“We have no intention of paying. I would rather go out of business than pay a ransom to these people,” managing director Malcolm Boyce told Computer Weekly.

“We’ve beefed up our defenses since the attack with all sorts of software,” said Malcolm Boyce. “My message to other companies is to do everything possible to safeguard yourself because they are quite capable of putting companies out of business, and they are totally without conscience.”

The Hammersmith Medicines Research is notifying impacted individuals via email the incident, the hackers stole data then employed ransomware to encrypt its systems.

The research firm revealed that many of the government IDs exposed in the data breach have since expired.

“Many of the ID documents we have on file have expired, but if you believe you provided to HMR IDs that are still valid, report these documents as being compromised to the organisation that issued them.” continues the notification.

“Consider contacting CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration. Once you’ve registered, you should be aware that CIFAS members will do extra checks to see when anyone, including you, applies for a financial service, such as a loan, using your address.”

Immediately after the beginning of the critical phase of the COVID19 pandemic, BleepingComputer reached out to the operators of the major ransomware gangs asking them if they would continue targeting hospitals.

Some of them like DoppelPaymer and Maze groups announced that they would no target healthcare organizations during the pandemic.

The gang behind the Ryuk ransomware goes against the tide and continues to target the hospitals, the group never responded to the questions of BleepingComputer researchers.

Anyway, the Maze operators publicly released HMR’s documents on March 21st, and the attack took place on the 14th before the group’s announcement.

The INTERPOL (International Criminal Police Organisation) is warning of ransomware attacks against hospitals despite the currently ongoing Coronavirus outbreak.

Attackers are targeting organizations in the healthcare industry via malspam campaigns using malicious attachments. The attachments used as lure appear to be sent by health and government agencies, they promise to provide information on the Coronavirus pandemic and the way to avoid the contagion.

A few days ago, Microsoft warned dozens of hospitals of the risks of ransomware attacks due to insecure VPN devices and gateways exposed online. Microsoft urges hospitals and health care organizations to implement security measures to protect public-facing devices to increase their resilience to cyber attacks.

Microsoft has also published recently details about human-operated ransomware attacks that targeted organizations in various industries.

The INTERPOL now revealed that it had detected over the weekend a significant number of ransomware attacks against key organizations and infrastructure engaged in the virus response.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Maze ransomware, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment