Cencora paid $75m in Bitcoin ransomware: Bloomberg

Healthcare solutions provider Cencora paid a total of $75 million to a ransomware group earlier this year, according to Bloomberg.

The publicly traded pharmaceutical distributor, formerly known as AmerisourceBergen, reportedly sent $75 million worth of Bitcoin (BTC) to cyber attackers following a data breach in February.

In a Sept. 18 report citing sources familiar with the matter, Bloomberg noted that Cencora sent BTC to the hackers in three transactions. The attackers had initially demanded $150 million from the pharmaceutical solutions provider.

Blockchain detective reveals more details

While the Bloomberg article did not share details of the three transactions, blockchain detective ZachXBT did. The highly respected crypto fraud and blockchain security researcher identified the hackers as the Dark Angels ransomware group.

In a post on X after the news broke, ZachXBT revealed that Cencora sent 296.5 BTC on March 7, 2024, with a transaction time of 22:04 UTC. The next two transfers occurred on March 8, 2024—the first for 408 BTC at 19:45 UTC and the other for a total of 387 BTC at 21:39 UTC.

Announcing its findings, ZachXBT noted that it used clues from the Bloomberg article. For example, the report alleged that Cencora paid the extortionists in three installments in March 2024. On-chain data also supported its conclusions.

“The funds for all three addresses were provided by the same source and the funds flowed to addresses with a high risk of illicit funds.”

ZachXBT

Bitcoin ransomware attacks

According to the Bloomberg article, the $75 million ransom is the highest such payment in history, surpassing previous incidents where payments exceeded $40 million; the last one occurred in 2021.

The Federal Bureau of Investigation reported earlier this year that ransomware attacks had defrauded more than 250 companies across the United States, Europe and Australia.

Ransomware attacks using cryptocurrency schemes continue to cause concern, with a Chainalysis report published in May 2024 showing that payments to such attackers decreased by almost 50% in 2023.