How Clinical Trial Data Security Can Save Your CRO from Ransomware Attacks

Can your business survive a ransom for billions of dollars? Contract research organizations increasingly face exorbitant threats from ransomware. Medical and clinical trial data can be sold on the dark web for several hundred dollars a pop, so hackers are willing to run the risks of infiltrating systems with the hopes of making millions. Along the way, they don’t mind if they cost an average of $7.8 billion in combined ransom and damages to your business.

As a result, CROs need to be intentional about mitigating cybersecurity threats, taking preemptive action to maintain backups, harden endpoints, and monitor systems. Reaching out after receiving a ransom is way too late. Here’s why ransomware is a growing threat to CROs and how the Dexian IT Solutions team was able to prevent one of our clients from paying blackmail or having a cybercriminal group leak PII and proprietary data.

The Spread of Ransomware as a Service

Ransomware is already plaguing businesses as it encrypts crucial data and systems, holding them hostage until their extortion fee is paid. Now, the popularization of ransomware as a service (RaaS) is fueling an escalation in this cybercrime strategy.

We’re already seeing a real-world impact reflected in the market. The 2023 State of Ransomware report shows a 75% increase in ransomware attacks between the first and second halves of the last twelve months. Cybercriminals see the benefit of selling RaaS and splitting the profits, which has resulted in as many as 100 affiliate gangs operating in the United States. One of the most recognizable examples of RaaS, LockBit, has been responsible for over 286 attacks in one year.

What’s worse is hackers can creep into your systems with a variety of approaches that can result in major damage to your brand reputation and bottom line. Here are just a few examples:

• Taiwan Semiconductor Manufacturing Company (TSMC) was jeopardized by a third-party supplier’s lax security posture, putting them potentially on the hook for a $70 million ransom.
• The Colonial Pipeline network was exposed to DarkSide’s ransomware because of an exposed VPN account password and paid $4.4 billion to reestablish their pipeline flow.

Preventing Disaster: A Dexian Success Story

What does it look like to successfully ward off a ransomware attack? A CRO working with Dexian IT Solutions learned firsthand how proper preparation was able to mitigate the threat potential to their organization, saving billions in the process.

How did we spot an incoming ransomware threat? There were early signs.

• A user reported a potential phishing attempt.
• A day later, a user reported a suspicious voicemail offering from an alleged member of the United States Department of Homeland Security offering to help with a potential compromise.

In both instances, one of our service agents responded quickly, telling the user not to click links or attachments while others investigated the authenticity of the communication (we found no one by the agent’s name working for DHS).

After this suspicious activity, our endpoint monitoring service detected a malicious executable file named “llb.exe” on the client’s domain controller system and a shared file server. Some follow-up searches identified the spread of the RaaS tool known as LockBit Black across multiple servers on their environment.

Not waiting for the encryption to take hold, we sprang into action. The client issued password resets for all users while our team began pulling account activity and email logs to pinpoint the source of the compromise. Over the next day, our cybersecurity team installed packet capture tools to analyze network traffic to and from one of the infected domain controller systems, determining how far back they’d need to go to find an uninfected backup for restoration.

We determined two workstations within their Reading Center office were infected by the malware spread, where users would load files from removable storage devices in these stations, making them a likely source of compromise. That in mind, we quarantined the system until we could properly reimage and rejoin them to the network. Then, our service desk team worked through a list of compromise and known exploit indicators to verify these vulnerabilities were not on either cloud or on-prem tools.

We also determined a list of malicious dark-web URLs, which we incorporated into FortiGate firewall policy for incoming and outgoing traffic, averting data exchanges initiated at either end. Using virtual sandboxes, we explored the active site listing the affiliate group’s stolen files, finding no instances of the client’s files posted on the dark web portal. We even evaluated two specific frequent users of the Reading Room and confirmed no evidence of suspicious or compromised activity before rejoining the impacted systems.

Throughout the process, we maintained an uninterrupted channel of communication to keep all stakeholders and members of the team current on our response activity. Yet that was only the beginning of our response. As an ongoing partner, we have acted to enhance their clinical trial cybersecurity. We have:

• Sent an incident brief and sample files to the CISA to foil future attacks for our client and other organizations.
• Implemented security control to encrypt files on-prem, making them unusable in case future data is stolen.
• Planned to educate users through a ransomware and cybersecurity campaign which can minimize the success of social engineering in the future.
• Advocated zero trust security framework across the organization, requiring constant user validation before access is granted.

With these and other actions, our client and similar CROs won’t need to master clinical trial cybersecurity best practices or learn how to pay ransoms – they’ll just need to know how to keep calm while their IT solutions partner handles their ongoing defense.