Lessons from the American Associated Pharmacies ransomware attack

American Associated Pharmacies (AAP), a major healthcare organization, was allegedly targeted by the ransomware group Embargo. This relatively new group claims to have encrypted AAP’s systems and stolen 1.5TB of sensitive data. Reports suggest that AAP paid $1.3 million to decrypt its systems, but the attackers now demand an additional $1.3 million to prevent the stolen data from being leaked on the dark web.

The company has not publicly confirmed the attack but has responded by resetting user passwords on its platforms, APIRx.com and RxAAP.com. According to Tech Radar, AAP said: “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the login screen and follow the prompts accordingly to reset your password.”

Lessons learned from the AAP cyberattack

Double extortion ransomware is on the rise

The AAP case demonstrates the growing prevalence of double extortion attacks, where cybercriminals encrypt systems and steal sensitive data. This tactic increases the pressure on victims to pay, as the threat of public exposure looms large.

• Lesson: Organizations must prepare for the possibility of data theft, not just system encryption. This means implementing strong data loss prevention (DLP) measures and encrypting sensitive data at rest and in transit.

Read more: Report shows healthcare ransomware attacks are increasing

Proactive cybersecurity is non-negotiable

AAP’s response, password resets, is a necessary step, but it shows the importance of proactive measures over-reactive fixes. With the healthcare sector increasingly targeted, robust security protocols are essential.

• Lesson: Regular software updates, network segmentation, multi-factor authentication (MFA), and employee training on phishing scams can reduce the risk of attack.

Read more: Tips for cybersecurity in healthcare

The ransom isn’t the end of the story

The AAP case demonstrates that paying a ransom doesn’t guarantee an end to the crisis. Embargo’s additional demand for payment shows how attackers can exploit victims further.

• Lesson: Never rely on ransom payments as a solution. Instead, focus on having secure backups and incident response plans to restore operations independently.

Healthcare organizations are high-value targets

The sensitive nature of healthcare data makes organizations like AAP attractive to ransomware groups. Stolen data can include patient records, financial details, and intellectual property, all of which can lead to lawsuits and regulatory scrutiny.

• Lesson: Healthcare organizations must treat cybersecurity as a critical investment, not an afterthought. Collaborating with cybersecurity experts can help mitigate vulnerabilities.

See also: HIPAA Compliant Email: The Definitive Guide

How to strengthen your defenses against ransomware

While no defense is foolproof, taking proactive measures can significantly reduce your risk and improve your ability to recover if an attack occurs. 

• Maintain offsite backups: Regularly back up critical systems and ensure backups are stored offline and tested for integrity.
• Conduct security audits: Regular audits can identify vulnerabilities in your systems before attackers do.
• Stay informed: Monitor emerging threats, like Embargo’s tactics, to understand the evolving cybersecurity landscape.
• Incident response plan: Develop and regularly update an incident response plan to quickly contain and recover from attacks.

Related: OCR releases ransomware prevention guidance

FAQs

Can ransomware spread across a network?

Ransomware can move laterally across a network, infecting multiple devices or servers. This is why disconnecting affected systems immediately is critical during an attack.

Learn more: Stopping the spread of a healthcare cyber attack

What are the early signs of a ransomware attack?

• Unusual system slowdowns or crashes.
• Files becoming inaccessible or showing strange extensions.
• A sudden ransom note or screen lock.
• Unauthorized activity or access logs in your system.

How long does it typically take to recover from a ransomware attack?

Recovery time depends on the extent of the attack, the availability of backups, and the robustness of the incident response plan. It can range from a few days to several weeks or months.