How ALPHV destroyed Henry Schein’s business

How ALPHV destroyed Henry Schein’s business: shocking details of three encryptions and hopeless negotiations

💬 The ALPHV/BlackCat group announced its plans to encrypt Henry Schein systems for the third time. The group’s efforts are part of pressure on the company to end negotiations following a massive cyberattack in October. Ongoing negotiations with the hackers are deteriorating, and the group is accusing the company of lack of professionalism.

Henry Schein, one of the world’s leaders in the distribution of healthcare products and services, had difficulty restoring business operations after the attack. On October 15, the company reported that it was forced to disable some systems to contain the cyberattack. The systems outage caused disruptions in the production and distribution departments.

The story unfolds like a true saga: Henry Schein appears to be at a disadvantage. ALPHV/BlackCat published a long message on its website criticizing Henry Schein for a number of problems, including strategic mistakes, poor communication and questionable decision-making.

In the message, the group declares the “next level of attack” and divides it into three parts: a description of what happened, data security issues at Henry Schein and plans for the future. In addition, the group provided “lessons” of sorts learned from these events to the company’s cybersecurity team and negotiators.

“Coveware, Stroz Friedberg, AVASEK, Proskauer, Clearly and others realized that they should not be overconfident when working with ALPHV. Their strategies proved disastrous, causing the reputable company to suffer operating losses totaling more than $500 million in two months,” the extortionists said.

Attached to the message are samples of 35 TB of confidential information that BlackCat claims the group extracted from Henry Schein servers. The data includes confidential employee letters, passport data, customer personal data and supplier bank accounts.

The group also published a copy of a report from Stroz Friedberg, which indicates the possibility of BlackCat’s unrestricted access to the company’s systems.

The first attack was discovered on October 15, when the company disabled some systems to prevent further spread of the malware. On November 13, the company confirmed that attackers had gained access to sensitive information such as bank account details and credit card information. Most likely, other valuable information was also leaked. On November 22, the company reported that some of its applications and e-commerce platform were again taken down as a result of a new attack, which was also responsible for the BlackCat group.