Octapharma Plasma Hit by Ransomware: Centers Shut Down

Octapharma Plasma recently encountered a significant disruption within its IT infrastructure, resulting in the closure of over 150 blood plasma collection centers across the USA.

The company’s website displayed a banner informing visitors that all centers were closed due to network issues. An insider familiar with the situation told The Register that the disruption was caused by a ransomware infection from BlackSuit.

This interruption in the operation of American centers could gravely affect the supply of plasma to Octapharma’s European divisions, given that more than 75% of the plasma comes from the U.S. The source also highlighted a dismissive attitude towards security within the company’s IT management, which has now led to severe consequences.

Cybercriminals gained access to the company’s VMware systems and deployed the BlackSuit ransomware. This virus is a new strain linked to earlier versions of Royal and Conti, which were previously used in attacks on the healthcare and public health sectors.

Octapharma Plasma swiftly reported the network issues and initiated an investigation with the help of external experts to assess the impact of the incident. The investigation is ongoing, and the company has promised to keep the public informed through social media, the specialized OctaApp, and its website.

Octapharma Group, the parent company of Octapharma Plasma, based in Germany, operates in 118 countries and reported record sales of €3.266 billion in 2023.

The incident not only threatens the company’s operations but also the health of patients who rely on critical procedures and medications, endangering sensitive medical and financial data of clients and donors. In the event of a data breach, the company could face class-action lawsuits and further investigations.

Security issues in the medical sector remain acute, particularly given the growing interest of criminal groups in this industry due to the high likelihood of ransom payments.

In 2023, an analysis of the Linux version of BlackSuit revealed significant similarities with a ransomware family known as Royal. Trend Micro, which conducted the analysis, stated that there was an “extremely high degree of similarity” between the two ransomware programs.

Initially, it was expected that the Royal hackers would completely rename their ransomware program to BlackSuit after information about the new encryptor emerged in May 2023. However, a complete rebranding did not occur. The group continues to actively use Royal, applying BlackSuit only in a limited number of cases, such as attacks on major businesses.