Biolife, a wholly owned subsidiary of Merit Medical Breach Incident Score: Analysis & Impact (BIO4503245111125)

In this Rankiteo incident briefing, we review the Biolife, a wholly owned subsidiary of Merit Medical breach identified under incident ID BIO4503245111125.

The analysis begins with a detailed overview of Biolife, a wholly owned subsidiary of Merit Medical's information like the linkedin page: https://www.linkedin.com/company/biolife, the number of followers: 2399, the industry type: Medical Equipment Manufacturing and the number of employees: 135 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 644 and after the incident was 380 with a difference of -264 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Biolife, a wholly owned subsidiary of Merit Medical and their customers.

Unnamed Florida Medical Device Company recently reported "Cybersecurity Professionals Indicted for BlackCat Ransomware Attacks Yielding Nearly $2 Million", a noteworthy cybersecurity incident.

Three cybersecurity professionals—Kevin Tyler Martin (Texas), Ryan Clifford Goldberg (Georgia), and an unnamed Florida-based individual—were indicted for conducting ransomware attacks using the BlackCat (ALPHV) strain between May 2023 and April 2025.

The disruption is felt across the environment, affecting True, and exposing True, plus an estimated financial loss of $1.96 million (paid by one victim); Total demands ranged from $300,000 to $15.4 million.

In response, and stakeholders are being briefed through Public statements from DigitalMint and Sygnia denying organizational involvement and Media coverage of indictments.

The case underscores how Ongoing (Trial Pending), teams are taking away lessons such as Insider threats pose significant risks, even from trusted cybersecurity professionals, Ransomware-as-a-Service (RaaS) models enable low-barrier entry for affiliates, including English speakers and Technical controls and monitoring are critical but not foolproof against determined insiders, and recommending next steps like Enhance background checks and continuous monitoring for employees in high-risk roles (e.g., incident response, ransomware negotiation), Implement stricter access controls and segregation of duties for sensitive systems/data and Develop insider threat detection programs with behavioral analytics, with advisories going out to stakeholders covering DigitalMint and Sygnia issued statements distancing themselves from the criminal activity and confirming cooperation with the FBI and Victim organizations (e.g., Florida medical device company) likely issued internal advisories, though details are not public.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (85%), with evidence including exploited their insider knowledge from roles at DigitalMint and Sygnia Consulting, and insider Abuse of Privileges in attack_vector and Trusted Relationship (T1199) with high confidence (90%), supported by evidence indicating attackers leveraging their roles at DigitalMint and Sygnia Consulting, exploited trust to deploy ransomware. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Roles (T1098.003) with moderate to high confidence (75%), supported by evidence indicating abuse of insider privileges by cybersecurity professionals with specialized knowledge. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Default Accounts (T1078.001) with moderate to high confidence (70%), with evidence including exploited their insider knowledge... to deploy ransomware, and unauthorized Access in attack_vector. Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (80%), with evidence including lax oversight or detection mechanisms for employees handling ransomware negotiations/incident response, and attackers exploited their insider knowledge and Obfuscated Files or Information (T1027) with moderate to high confidence (75%), supported by evidence indicating blackCat (ALPHV) ransomware attack (known for encryption/obfuscation). Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (85%), with evidence including abuse of insider privileges... with specialized knowledge, and unauthorized Access in attack_vector. Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with moderate to high confidence (80%), with evidence including cybersecurity professionals likely performed reconnaissance using insider access, and high-value targets such as Medical and engineering sector companies. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), with evidence including stole sensitive information, and data exfiltration such as true. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (85%), with evidence including data exfiltration such as true, and blackCat (ALPHV) ransomware attack (commonly uses obfuscated channels). Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (100%), with evidence including encrypted critical data, data encryption such as true, and blackCat (ALPHV) ransomware and Data Destruction (T1485) with moderate to high confidence (70%), supported by evidence indicating intentional damage to protected computers (from charges). Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (70%), supported by evidence indicating insider knowledge from roles at DigitalMint and Sygnia suggests potential RDP/remote tool abuse. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.