West Pharmaceutical Services Hit by Ransomware Attack, Disrupting Global Manufacturing and Supply Chain West Pharmaceutical Services, a key supplier of injectable drug packaging and delivery systems, disclosed a ransomware attack on 4 May that forced the company to shut down portions of its global infrastructure. The breach, which involved data exfiltration and system encryption, disrupted manufacturing, shipping, and receiving operations across multiple facilities. The company reported progress in restoring core enterprise systems, with critical processes resuming at some sites while others remain in recovery. Forensic investigations, led by Palo Alto Networks’ Unit 42 alongside external experts, found no evidence of persistent malicious activity, though the incident affected domain-joined devices within West’s network. All known indicators of compromise are being addressed, and accounts have been secured. Industry Impact and Supply Chain Risks The attack highlights the growing sophistication of ransomware operations, which now function as a professionalized industry with affiliate programs and revenue-sharing models. According to Jacob Krell of Suzu Labs, ransomware groups target high-value supply chain entities like pharmaceutical manufacturers because downtime cascades downstream, disrupting critical drug delivery systems. Damon Small of Xcape Inc. noted that the breach paralyzed approximately 70% of the world’s injectable drug supply chain, forcing a proactive global shutdown to prevent further damage. The absence of a public leak site suggests negotiations may be underway to protect proprietary packaging designs and shipping data, which could expose major pharmaceutical clients like Pfizer and Moderna to operational risks. Lessons in Resilience and Recovery Experts emphasize that perimeter defense alone is insufficient against modern ransomware threats. Organizations in critical supply chains must adopt blast radius reduction, validated recovery capabilities, and proactive threat hunting. Small advocates for strict OT-IT segmentation (using models like the Purdue Model) and immutable backups to prevent a single breach from crippling global operations. West Pharmaceutical Services continues to provide updates as the investigation progresses, with restoration efforts ongoing. The incident underscores the urgent need for robust cybersecurity measures in sectors where operational downtime directly impacts public health.

ShinyHunters-Linked Cybercrime Campaign Targets Over 100 Major Organizations A recent cybercrime campaign attributed to the ShinyHunters group has targeted at least 100 organizations across multiple sectors, including software, finance, healthcare, and energy, according to cybersecurity firm Silent Push. Over the past 30 days, threat actors registered fake domains impersonating high-profile companies such as Atlassian, Adyen, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, GameStop, WeWork, Halliburton, Sonos, and Telstra. The attackers employed voice phishing (vishing) tactics to compromise single sign-on (SSO) accounts, particularly those using Okta and other identity platforms. Using specialized phishing kits, they intercepted credentials and manipulated victims into bypassing multi-factor authentication (MFA) by convincing them to approve push notifications or submit one-time passcodes (OTPs). Okta described the attacks as involving real-time session orchestration, where threat actors guided victims through the authentication process via verbal instructions. While Silent Push identified the infrastructure used in the campaign, it remains unclear whether the attacks successfully breached any systems. However, ShinyHunters has claimed responsibility for data breaches at companies like Betterment, Crunchbase, and SoundCloud, all of which confirmed incidents. The group allegedly stole millions of records from these organizations as part of the Okta SSO vishing campaign. Silent Push attributes the campaign to Scattered LAPSUS$ Hunters, a collective formed last year by members of Lapsus$, Scattered Spider, and ShinyHunters, based on observed tactics, techniques, and procedures (TTPs). The incident follows recent warnings from Google and others about rising vishing and phishing attacks targeting identity platforms.