{ "id": "03239e1b-3e92-458b-bddc-20fce8cc6e02", "created_at": "2026-04-06T00:15:38.837968Z", "updated_at": "2026-04-10T13:12:21.034057Z", "deleted_at": null, "sha1_hash": "40ff75972d13aafc83fc630246415880637afea0", "title": "Hackers publish ExecuPharm internal data after ransomware attack | TechCrunch", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38514, "plain_text": "Hackers publish ExecuPharm internal data after ransomware\r\nattack | TechCrunch\r\nBy Zack Whittaker\r\nPublished: 2020-04-27 · Archived: 2026-04-05 19:25:20 UTC\r\nU.S. pharmaceutical giant ExecuPharm has become the latest victim of data-stealing ransomware.\r\nExecuPharm said in a letter to the Vermont attorney general’s office that it was hit by a ransomware attack on\r\nMarch 13, and warned that Social Security numbers, financial information, driver licenses, passport numbers and\r\nother sensitive data may have been accessed.\r\nBut TechCrunch has now learned that the ransomware group behind the attack has published the data stolen from\r\nthe company’s servers.\r\nIt’s an increasingly popular tactic used by ransomware groups, which not only encrypts a victim’s files but also\r\nexfiltrates the data and threatens to publish the data if a ransom isn’t paid. This new technique was first used by\r\nMaze, a ransomware group that first started hitting targets in December. Since then, a number of new and\r\nemerging groups, including DoppelPaymer and Sodinokibi have adopted the same approach.\r\nThe data was posted to a site on the dark web associated with the CLOP ransomware group. The site contains a\r\nvast cache of data, including thousands of emails, financial and accounting records, user documents and database\r\nbackups, stolen from ExecuPharm’s systems.\r\nWhen reached, a company executive confirmed to TechCrunch that CLOP was behind the attack.\r\n“ExecuPharm immediately launched an investigation, alerted federal and local law enforcement authorities,\r\nretained leading cybersecurity firms to investigate the nature and scope of the incident, and notified all potentially\r\nimpacted parties,” said ExecuPharm operations chief David Granese.\r\nTechcrunch event\r\nSan Francisco, CA | October 13-15, 2026\r\nSince the outbreak of COVID-19, some of the ransomware groups have shown mercy on medical facilities that\r\nthey have pledged not to attack during the pandemic. CLOP said it too would not attack hospitals, nursing homes\r\nor charities, but said ExecuPharm would not qualify, saying that commercial pharmaceutical companies “are the\r\nonly ones who benefit from the current pandemic.”\r\nUnlike some strains of ransomware, there is no known decryption tool for CLOP. Maastricht University found out\r\nthe hard way after it was attacked last year. The Dutch university paid out close to $220,000 worth of\r\ncryptocurrency to decrypt its hundreds of servers.\r\nThe FBI has previously warned against paying the ransom.\r\nhttps://techcrunch.com/2020/04/27/execupharm-clop-ransomware/\r\nPage 1 of 2\n\nThe sinkhole that saved the internet\r\nZack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this\r\nweek in security.\r\nHe can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or\r\nto verify outreach, at zack.whittaker@techcrunch.com.\r\nView Bio\r\nSource: https://techcrunch.com/2020/04/27/execupharm-clop-ransomware/\r\nhttps://techcrunch.com/2020/04/27/execupharm-clop-ransomware/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://techcrunch.com/2020/04/27/execupharm-clop-ransomware/" ], "report_names": [ "execupharm-clop-ransomware" ], "threat_actors": [], "ts_created_at": 1775434538, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/40ff75972d13aafc83fc630246415880637afea0.pdf", "text": "https://archive.orkl.eu/40ff75972d13aafc83fc630246415880637afea0.txt", "img": "https://archive.orkl.eu/40ff75972d13aafc83fc630246415880637afea0.jpg" } }