Cencora pays $75 million in Bitcoin in the largest known case of ransomware attack
Cencora Inc., a major drug distributor, paid $75 million in Bitcoin (BTC) to hackers following a ransomware attack, marking the largest known cyber extortion payment to date. As reported by Bloomberg, the payment was made in three installments in March after Cencora discovered a data breach in February.
Blockchain sleuth ZachXBT identified the three transactions, totaling 1,091.5 BTC, using on-chain data and shared them on X. The first 296.5 BTC transaction was made on Mar. 7, with a second 408 BTC transaction made the following day, and the remaining 387 BTC was sent less than two hours later.
“Also all three addresses were funded from the same source and the funds flowed to addresses with high illicit fund exposure,” ZachXBT added.
The hackers, identified as the Dark Angels group, initially demanded $150 million. Cencora, formerly known as AmerisourceBergen, has a market capitalization of about $46 billion and generated $262 billion in revenue last fiscal year.
“Lottery jackpot-level payouts like this make the health and medical sector a more attractive target than it already is. We’re not talking about buy-a-Ferrari amounts here. It’s build-your-own-army amounts,” Brett Callow, managing director at FTI Consulting, stated.
Charles Carmakal, chief technology officer at Mandiant Consulting, confirmed that while such large payments are not common, they do occur.
The breach resulted in the theft of personal data including names, addresses, dates of birth, diagnoses, prescriptions, and medications. Cencora’s July quarterly report indicated $31.4 million in expenses related to the cybersecurity event.
Ransomware attacks grow
Blockchain analysis firm Chainalysis revealed in its “2024 Crypto Crime Mid-Year Update” that on-chain transactions related to illicit funds shrunk by almost 20% year-to-date compared to 2023.
Yet, security incidents involving stolen funds and ransomware attack vectors are on the rise. Ransomware inflows rose by approximately 2%, from $449.1 million to $459.8 million.
The Cencora episode made the ransom payment to the most severe ransomware rise from under $200,000 in early 2023 to $1.5 million in mid-June 2024.
According to Chainalysis, this suggests that these ransomware strains are aimed at larger businesses and critical infrastructure providers, as they are more likely to pay high ransoms due to their deep pockets and systemic importance.