Ransomware fiends boast they've stolen 1.4TB from US pharmacy network

American Associated Pharmacies (AAP) is the latest US healthcare organization to have had its data stolen and encrypted by cyber-crooks, it is feared.

The criminals over at the Embargo ransomware operation claimed responsibility for the hit job, allegedly stealing 1.469 TB of AAP's data, scrambling its files, and demanding payment to restore the information.

AAP, which oversees a few thousand independent pharmacies in the country, hasn't officially confirmed an attack, nor has it responded to The Register's request for input on the claims. At the time of writing, its website warns all user passwords were recently force-reset. It did not explain why the resets were forced nor mention a cyberattack.

"All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites," a website notice reads. "Please click 'forgot password' on the log in screen and follow the prompts accordingly to reset your password."

The notice also states that API Warehouse, an AAP subsidiary devoted to helping partners save on branded and generic prescription drugs through wholesale buying plans, had some nondescript inventory issues, which are now resolved.

As ever with these things, take claims by ransomware miscreants with a pinch of salt, but Embargo's own site claims AAP paid $1.3 million to have their systems decrypted and that it's demanding an additional $1.3 million to keep a lid on the pilfered documents.

If true, the demands made by Embargo exceed the average, which the FBI said earlier this year is in the region of $1.5 million.

It's not said what kind of data the ransomware group stole from AAP, if any at all. The pharmacy network was given a deadline of November 20 to pay the remaining "balance" before its data would be leaked online – a classic double extortion scenario.

What isn't a classic move is Embargo's tendency to assign blame to specific individuals after deciding to leak a victim's data. In a number of cases where victims have let the countdown timer run down, Embargo has listed the names, email addresses, and phone numbers of key figures in the organization that it believes hindered the payment and negotiation process. Sometimes this also included the third-party incident responders drafted to help handle an attack.

• Microsoft says more ransomware stopped before reaching encryption
• Schneider Electric ransomware crew demands $125k paid in baguettes
• US healthcare org admits up to 400,000 people's personal info was snatched
• Healthcare giant to pay $65M settlement after crooks stole and leaked nude patient pics

Embargo is a relatively new group on the ransomware scene. Researchers at ESET first noticed it as recently as June, and it is among a number of gangs using endpoint detection and response (EDR) killing tools to deploy its main payload.

Despite only being around for mere months, it's garnered attention from established cybercriminals, with the likes of Storm-0501 also seen using its Rust-based ransomware kit.

As for AAP, it was founded in 2009 through the merger of Phoenix-based United Drugs and Alabama-based Associated Pharmacies. According to its website, the co-operative oversees more than 2,000 independent pharmacies across the US.

Other than the sparsely detailed notice slapped on its website, AAP hasn't publicly acknowledged anything about the alleged robbery. Some interested folks have queried the "outage" to its social media channels, and they haven't received a response. ®