A Russia-linked cyber group claims a successful ransomware attack on Henry Schein’s subsidiary TriMed. This cyber gang, well known as Lynx, has released some data samples on the dark web and is demanding a ransom.

The attackers wrote on their dark website, “Henry Schein has still been going a cheap way with saving money on good IT security. As a result, they’ve become the victim of a cyber-attack again.”

Usually, ransomware gangs list their victims on the dark web pages to try and compel the organizations to pay a ransom. When their demands are not met, the attackers release the stolen information on the dark web, and anyone can easily download it, leaving the organizations to face the potential aftermath of such a leak, mostly losing customer trust and reputational damage.

In fact, some criminal gangs can opt for other techniques, like bidding off the stolen data to various interested parties on the darknet marketplaces when the victims fail to comply with their demands.

This incident marks at least the second major ransomware attack on Henry Schein in two years, raising serious questions about the company’s cybersecurity posture. In October 2023, the ALPHV/BlackCat ransomware gang successfully attacked the company, stealing data of over 166,000 individuals and causing significant operational disruption.

The alleged compromised data

First, Henry Schein is a top healthcare products and services distributor in America with operations in over 33 countries across the globe. In fact, it’s arguably the world’s largest provider when it comes to healthcare products and services. Some of the products they distribute include medical practitioners, animal health, office-based dental, and other services.

The company has an annual revenue of about $12.67 billion. Unfortunately, the latest alleged attack comes after an initial attack in 2023 (about which we talked earlier in this news), when the company suffered a huge ransomware attack that was orchestrated by the ALPHA/BlackCat ransom gang. During that period, the attack interrupted its website as well as a section of its manufacturing operations and distribution, which led its IT teams to take some of the company’s systems offline to contain the attack.

According to reports, the gang stole a wide range of sensitive files that include personal documents, executive communications, intellectual property, personal documents like passports and driver’s licenses, and legal documents.

Perhaps, it’s possible that the Lynx group could have long-term access to the company’s critical systems that could allow them to identify and get away with some of the most impactful data – something that could result in the gang maximizing leverage for extortion.

Moreover, a leaked email conversation between executives shows details of some high-level financial dealings. The exchange discussed the flow of millions of USD and sensitive data like IBAN as well as bank account numbers.

How big is Lynx ransomware?

Lynx operates entirely as ransomware-as-a-service (RaaS) and is majorly known to go after big organizations in the architecture, finance, and manufacturing industries. However, reports show the gang targeting retail and energy sectors across the Asia-Pacific and Middle-East regions.

The gang is a significant player in the cybercrime landscape. Since emerging in 2024, Lynx has listed nearly 200 victims on its data leak site. Its malware is technically sophisticated, sharing a significant portion of its source code with the known INC ransomware variant.

The criminal gang is Russia-linked, given that it recruits mostly on Russian-speaking dark web forums. As a result, the gang states that it doesn’t target Russian organizations or the rest of the CIS countries.

Apparently, it’s a popular tactic by threat actors, especially in Russia, so that they can operate without the interference of authorities within their home territory.

Besides, Lynx claims that it doesn’t want to do harm to organizations and that it strictly follows ethical policies and doesn’t go for hospitals, governmental institutions, or any non-profit organizations, stating that such sectors play a crucial role in society. On the Lynx leak site, they say that “our operational model encourages dialogue and resolution rather than chaos and destruction.”

Nevertheless, the Lynx gang is one of the key players when it comes to the ransomware scene. For instance, this week, the group claimed the Dodd Group, a popular British construction company. In September, it also claimed to steal data from the True World Group LCC, the largest US sushi and seafood provider. Other notable victims of Lynx include Dollar Tree, a huge egg producer in America, and Rose Acre Farms.

Here’s the thing: it’s not uncommon for threat actors like Lynx to share fake data or even resurface old information from a previous attack. However, if the data and claims by Lynx prove to be true and legitimate, then it could mean more than the company’s operations being altered, as the customers and employees could be in trouble, too.

At the time of writing, the company hasn’t given any response yet about the attack claims by Lynx – only time will tell.