{ "id": "a9900734-83fd-44e9-8bd8-a9fc54eaceff", "created_at": "2026-04-06T00:11:37.159558Z", "updated_at": "2026-04-10T03:31:13.392969Z", "deleted_at": null, "sha1_hash": "e28eb63dbc097b3e208b713fdbbea41bcdbd4022", "title": "Indian pharmaceutical giant warns of revenue loss, litigation after ransomware attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73207, "plain_text": "Indian pharmaceutical giant warns of revenue loss, litigation after\r\nransomware attack\r\nBy Jonathan Greig\r\nPublished: 2023-03-29 · Archived: 2026-04-05 21:27:12 UTC\r\nThe largest pharmaceutical company in India confirmed a ransomware attack in its regulatory filings this week,\r\nexplaining that the incident involved the theft of company data and personal information.\r\nSun Pharmaceuticals – the fourth-largest specialty generic pharmaceutical company in the world – said in filings\r\nwith the Bombay Stock Exchange that efforts to contain and eradicate the ransomware are ongoing and a\r\ncybersecurity firm has been hired to help respond to the incident.\r\nThe company confirmed that a ransomware group has claimed responsibility for the incident but did not name\r\nthem. The notorious Black Cat/AlphV ransomware group listed the company on its leak site on March 24.\r\n“The Company currently believes that the incident’s effect on its IT systems includes a breach of certain file\r\nsystems and the theft of certain company data and personal data. As part of the containment measures, we\r\nproactively isolated our network and initiated the recovery process. As a result of these measures, Company’s\r\nbusiness operations have been impacted,” they wrote.\r\n“Consequently, revenues are expected to be reduced in some of our businesses. The Company would incur\r\nexpenses in connection with the incident and the remediation.”\r\nThe filing provides an update to one submitted on March 2, when the company said it was suffering from a\r\ncyberattack that affected some IT systems but did not impact “core systems and operations.”\r\nSun Pharmaceuticals warned that there may be other adverse effects resulting from the incident, including\r\nincreased cyber insurance costs, potential litigation, as well as diversions of time and effort for senior\r\nmanagement.\r\nThe Mumbai-based company sells pharmaceutical products in more than 100 countries and brought in a revenue\r\nof $5 billion in 2022. It has more than 37,000 employees.\r\nBlack Cat/AlphV has made a point of going after healthcare and pharmaceutical companies. The gang caused\r\noutrage three weeks ago when it extorted a healthcare network in Pennsylvania by publishing photographs of\r\nbreast cancer patients.\r\nThe group also attacked hospital technology giant NextGen Healthcare in January.\r\nThe criminal gang has existed in some form since 2012, according to researchers from Symantec, who said it\r\nbegan using the Carbanak malware to steal money from organizations in the banking, hospitality and retail sectors.\r\nhttps://therecord.media/sun-pharma-india-ransomware-attack\r\nPage 1 of 2\n\nThree members of the group were arrested in 2018 before it evolved into a ransomware-as-a service (RaaS)\r\noperation around 2020.\r\nAlphV/BlackCat has now been used in other high profile attacks on colleges and universities across the U.S. as\r\nwell as businesses like Japanese video game giant Bandai Namco, toy production company Jakks Pacific, two\r\nGerman oil companies and Italian fashion brand Moncler.\r\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/sun-pharma-india-ransomware-attack\r\nhttps://therecord.media/sun-pharma-india-ransomware-attack\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/sun-pharma-india-ransomware-attack" ], "report_names": [ "sun-pharma-india-ransomware-attack" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434297, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e28eb63dbc097b3e208b713fdbbea41bcdbd4022.pdf", "text": "https://archive.orkl.eu/e28eb63dbc097b3e208b713fdbbea41bcdbd4022.txt", "img": "https://archive.orkl.eu/e28eb63dbc097b3e208b713fdbbea41bcdbd4022.jpg" } }