I’m thrilled to sit down with Rupert Marais, our in-house security specialist with deep expertise in endpoint and device security, cybersecurity strategies, and network management. With ransomware attacks becoming an increasingly devastating threat to industries like healthcare and pharmaceuticals, Rupert offers a unique perspective on the recent cyber incident at Inotiv, a key player in drug discovery and development. In this interview, we dive into the details of the attack discovered on August 8, explore its impact on operations, discuss the challenges of recovery, and address the broader implications for sensitive research data and the industry at large. Join us as we unpack the complexities of navigating such a crisis in a high-stakes field.
How did your team first uncover the ransomware attack at Inotiv on August 8, and what were your immediate actions?
On August 8, our monitoring systems flagged unusual activity—there were signs of unauthorized access and encryption starting to spread across certain networks. It was clear pretty quickly that we were dealing with a ransomware attack. Our first move was to isolate the affected systems to prevent further spread. We shut down access to compromised networks, alerted our incident response team, and started digging into the scope of the breach. Communication was key at that stage; we looped in key stakeholders and began working on containment while preserving evidence for investigation.
Can you walk us through the impact this attack has had on Inotiv’s daily operations?
The impact has been significant, especially since the attack encrypted critical systems. We’ve had to limit access to portions of our internal data storage and several business applications that are vital for day-to-day work. This has slowed down processes like data analysis and communication between teams. We’re still functioning, but it’s not business as usual—there’s a lot of manual effort involved to keep things moving, and some projects have been delayed as we prioritize recovery.
You’ve mentioned relying on “offline alternatives” to minimize disruption. Can you explain what that looks like in practice?
Essentially, we’ve shifted to manual processes and backup systems that don’t rely on the affected networks. For example, we’re using physical records and standalone tools for certain tasks that would normally be handled digitally. We’ve also leaned on redundant data backups stored offline to retrieve critical information. While these alternatives have helped us avoid a complete standstill, they’re not as efficient, and they can’t fully replicate the speed and connectivity of our regular systems.
What challenges are you facing in getting the encrypted systems back online, and do you have a sense of when full recovery might happen?
Restoring encrypted systems is a complex process. We’re dealing with identifying the extent of the encryption, ensuring we don’t reintroduce any lingering malware, and rebuilding from clean backups. One of the biggest hurdles is validating the integrity of the data we restore—we can’t afford errors in a field like drug development. As for a timeline, it’s hard to pin down. We’re working around the clock, but I’d say we’re still in the assessment phase for some systems, so full recovery could take weeks or longer depending on what we uncover.
The Qilin ransomware gang has claimed responsibility for this attack. What can you share about their involvement and the data they allege to have stolen?
We’re aware of the claim made by the Qilin group, and it’s something we’re taking very seriously as part of our investigation. They’ve stated they’ve taken 176 GB of data, including research spanning a decade, which is deeply concerning given the nature of our work. At this point, we’re still verifying the specifics of what, if anything, was exfiltrated. Our focus is on working with experts to confirm their claims and understand the full scope of the breach while we strengthen our defenses.
How has law enforcement been involved in addressing this incident, and what kind of support have they offered?
We notified law enforcement immediately after confirming the attack, and they’ve been a critical partner in this process. They’re providing guidance on best practices for handling ransomware incidents and are actively investigating the perpetrators. While I can’t share specific details about the investigation, I can say their expertise has helped us navigate the legal and technical aspects of this crisis, and we’re in regular contact as new information comes to light.
Given Inotiv’s role in drug discovery, how worried are you about the potential leak of sensitive research data, and what might be at stake?
The possibility of sensitive data being exposed is one of our top concerns. If the stolen data includes proprietary research or client information, a leak could have serious consequences—think intellectual property loss, competitive disadvantage, or even regulatory issues. Beyond that, there’s the risk to patient privacy if any personal health data is involved. We’re doing everything we can to assess what might be at risk and are taking steps to mitigate harm, including notifying affected parties if necessary and enhancing our security posture.
The SEC filing noted uncertainty around the financial impact of this attack. Can you shed some light on the costs or losses you’re seeing so far?
Right now, we’re still tallying the direct costs, which include everything from incident response and forensic analysis to the downtime we’ve experienced. There’s also the expense of rebuilding systems and potentially upgrading our cybersecurity infrastructure. Long-term, there could be impacts on business relationships or project timelines that might affect revenue, but it’s too early to quantify that. We’re focused on transparency with stakeholders as we get a clearer picture of the financial fallout.
With ransomware attacks becoming more frequent in the healthcare and pharmaceutical sectors, what broader lessons do you think the industry can learn from incidents like this?
This attack is a stark reminder that no organization is immune, especially in healthcare and pharma where data is so valuable. One key lesson is the need for proactive defense—investing in robust cybersecurity before an attack happens, not just reacting after. That means regular system updates, employee training, and layered security like endpoint protection and backups. Another takeaway is the importance of collaboration; sharing threat intelligence across the industry can help us stay ahead of groups like Qilin. Finally, having a solid incident response plan is critical to minimizing damage when the worst does happen.
What is your forecast for the future of ransomware threats in the pharmaceutical industry, and how do you see companies adapting?
I expect ransomware threats to grow in both frequency and sophistication, especially in pharma, where the stakes are so high. Attackers know that disrupting drug development or stealing research data can yield big payoffs, whether through ransoms or selling information on the dark web. I think we’ll see more targeted attacks using advanced tactics like double extortion, where data is both encrypted and leaked. On the flip side, I believe companies will adapt by prioritizing cybersecurity budgets, adopting zero-trust architectures, and fostering a culture of vigilance. The challenge will be staying one step ahead of criminals who are constantly evolving their methods.
