Ransomware crooks SIM swap medical research biz exec, threaten to leak stolen data

Advarra probes intrusion claims, says 'the matter is contained'

Ransomware crooks claim they've stolen data from a firm that helps other organizations run medical trials after one of its executives had their cellphone number and accounts hijacked.

The Register understands one or more people close to or affiliated with the notorious Alphv, aka BlackCat, extortion gang managed to get into a work account of an exec at Advarra and may have copied out at least some information from the business. This was done by SIM swapping the victim – transferring their cellphone number to a SIM controlled by the criminals, who could then receive and use one-time authentication codes to change account passwords, login, and root around in profiles and documents.

This is why folks recommend not using text message or call-based methods for authentication and password resets.

The intruders earlier claimed on Alphv's official dark-web site to have stolen from Advarra more than 120GB of confidential data concerning customers, patients, and employees - both past and present. If a ransom demand is not paid, the thieves may leak or sell that information, presumably. Whether the crims actually managed to make off with that data has yet to be confirmed.

This is their last chance to reach out to us before we leak the data

Alongside their data-theft claim, the miscreants shared some people's personal info in an attempt to prove the intrusion did indeed occur: a file containing the name, date of birth, and social security number of a 17-year-old in the US, and the passport scan of an Advarra executive. The crooks also alleged a senior manager at Advarra contacted the gang telling them to, in harsher terms, go screw.

Those boasts have since vanished from the dark-web site, and we have good reason to believe the aforementioned alleged interaction never actually occurred. All the leak site says now is: "Advarra must reach out within 24 hours, or this will post will reflect the exfiltrated data in its entirety."

The gang earlier warned: "This is their last chance to reach out to us before we leak the data. Patients from clinical research studies are also affected."

Based in Columbia, Maryland, Advarra provides services to those carrying out medical research and clinical trials.

A spokesperson for the biz told The Register today: "An Advarra colleague was the victim of a compromise of their phone number. The intruder used this to access some of the employee’s accounts, including LinkedIn, as well as their work account."

The rep went on, playing down the extent of the claimed intrusion:

We have taken containment actions to prevent further access and are investigating with third-party cyber experts. We also notified federal law enforcement. At this time we believe the matter is contained. We further believe that the intruder never had access to our clients’ or partners’ systems and it is safe to connect to Advarra’s systems.

Importantly, we have no evidence that the Advarra systems and products that clients use to interface with us were compromised or accessed. At this time, our business operations have not been disrupted as a result of this activity and we continue to operate as normal. In addition, we continue to take steps to enhance the overall security of our systems in line with industry best practices.

They added its "investigation remains ongoing, and we will provide additional updates as appropriate."

Word of the alleged attack on Advarra comes just days after Alphv criminals leaked 8.6TB worth of data from another US healthcare organization. Morrison Community Hospital in Illinois was posted by the group on October 13 and like Advarra, reportedly refused to negotiate with the group.

Some ransomware groups have historically been known to operate with a claimed degree of morality. Attacks on hospitals, for example, were reversed due to those institutions being perceived as off limits, while others, including BlackCat, have shown no such remorse.

Healthcare organizations have long been a prime target for cybercriminals due to the sensitive nature of the data they hold and the likelihood they have insurance. But according to the latest data from Sophos, the number of attacks targeting the sector fell slightly in 2023 versus last year.

As for the attacks that are successful, in nearly 75 percent of all cases the criminals were able to encrypt data, representing the highest encryption rate in the past three years, Sophos added. In 37 percent of cases where encryption occurred, data was also stolen, we're told. ®

More about


Send us news

Other stories you might like