A ransomware attack has forced drug research firm Inotiv to shut down critical systems, resulting in operational disruptions. Inotiv is an analytical drug discovery and development service that works with various pharmaceutical companies. It employs over 2,000 research specialists and reports an annual revenue of over $500 million. According to a regulatory filing with the US Securities and Exchange Commission (SEC), Inotiv discovered the cyber attack on 8 August. “On August 8, 2025, Inotiv, Inc. became aware of a cybersecurity incident affecting certain of its systems and data,” the company stated.[1]
It promptly responded by launching an investigation with third-party cyber forensics and law enforcement to determine the scope of the incident. The probe determined that the threat actors had accessed and encrypted some computer systems, confirming that it had suffered a ransomware attack. “The Company’s preliminary investigation determined that a threat actor gained unauthorized access to, and encrypted certain of, the Company’s systems,” Inotiv said.
The cyber intrusion prompted Inotiv to shut down certain systems to prevent the threat actor from spreading laterally. The shutdown process restricted access to certain internal data and business application systems, thus disrupting daily operations.
The drug research company also took immediate steps to navigate the limitations by exploring various alternatives, including utilizing offline data. Its cyber incident response teams also began working tirelessly to restore normal operations, although the company has not provided an expected resolution date. “The cybersecurity incident has caused, and is expected to continue to cause, disruptions to certain business operations of the Company,” it warned.
Inotiv has yet to determine if the ransomware attack leaked sensitive data or will have a material impact on its operations or financial condition. Additionally, the drug research firm has not attributed the cyber-attack to any cybercrime group or confirmed receiving any ransom demands.
The Qilin hacking group has taken credit for the Inotiv ransomware attack. However, the Qilin cyber gang has taken responsibility for the Inotiv ransomware attack and listed the drug research firm on its data leak site. The Russian cybercrime gang also claimed to have stolen 176 GB of research data containing roughly 162,000 files collected over the last 10 years.
On 11 August, the attackers released portions of the stolen data on their dark web leak site as evidence that they had unauthorized access to sensitive information. The allegedly stolen trove includes development and testing reports of various drugs, internal communications, and analytical data, potentially worth hundreds of millions of dollars. Subsequently, the drug research firm potentially faces serious legal and reputational consequences as a result of the ransomware attack.
It remains unclear how the attackers breached the drug research firm. However, the Qilin ransomware group targets organizations via phishing and exploits exposed interfaces, such as remote desktop protocols (RDPs) and virtual private connections (VPNs). It also leverages Google Chrome info stealers to harvest passwords and compromise user accounts. “Qilin emerges as the top ransomware group that often utilizes spear-phishing email tactics to penetrate an organization’s security defenses, dropping custom-made payloads once they’ve entered the desired database,” Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka. “Once Qilin has access to credentials, the malware moves laterally across networks to widen the breach.”
Qilin’s top targets include healthcare organizations and institutions of higher learning. In June 2024, the cybergang conducted one of the largest healthcare ransomware attacks that affected a UK medical diagnostics and pathology company, Synnovis, and demanded $50 million in ransom.
The Synnovis ransomware attack also disrupted operations, forcing hospitals across the United Kingdom to cancel or reschedule over 6,000 appointments and operations and leaked over 400GB of protected health data. “This ransomware attack is yet another example of the growing threat facing healthcare organizations and reflects a growing trend among cybercriminal groups to exploit sectors where time sensitivity heightens pressure to restore operations, increasing the likelihood of ransom payments,” said Ryan Sherstobitoff, Chief Threat Intelligence Officer at SecurityScorecard. “The pharmaceutical sector in particular remains a prime target for ransomware groups. These companies often handle sensitive intellectual property and operate critical services, making them attractive to attackers seeking high payouts.”
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cpomagazine.com/cyber-security/ransomware-attack-hits-drug-research-firm-inotiv-disrupts-operations-and-leaks-data/#google_vignette
Comments