Date of Incident:
August 2025

Overview:

In August 2025, Inotiv, a healthcare services company, suffered a ransomware attack that disrupted business operations and compromised the personal information of 9,542 individuals. The cyberattack involved exploiting vulnerable remote access services and phishing techniques, encrypting 162,000 files totaling 176 GB. The attack aligned with MITRE ATT&CK techniques, featuring file encryption and disabling antivirus protections. Exfiltrated data was transferred using TLS 1.2 over uncommon high ports to threat actor-controlled IPs. Similar companies include Charles River Laboratories and LabCorp.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Personal information of 9,542 individuals stolen, business operations disrupted, 162,000 files totaling 176 GB exfiltrated

Details:

The Inotiv ransomware attack involved the exploitation of vulnerable remote access services and phishing vectors, aligning with MITRE ATT&CK techniques T1078 (Valid Accounts) and T1566 (Phishing). The ransomware payload exhibited file encryption behavior typical of T1486, deploying a strain that encrypted 162,000 files totaling 176 GB. IOCs include Command and Control (C2) domains associated with the payload delivery, hashes of the ransomware executable, and registry edits that disabled antivirus protections. Log artifacts showed multiple failed logins followed by successful lateral movement within the network captured via Windows Event Logs (4624 for logon, 4688 for process creation). PO.C code samples demonstrated the payload’s ability to enumerate running processes and delete shadow copies to inhibit recovery. Exfiltration logs confirmed data transfers over uncommon high ports using TLS 1.2 to external IP addresses linked to threat actors.

Remediation:

Inotiv should apply patches provided by their endpoint protection vendors that address vulnerabilities in remote desktop protocols and phishing email gateways. Temporary mitigations include disabling unused RDP ports, enabling MFA for remote access, and enhancing network segmentation. Known workarounds include the use of offline backups and immediate isolation of infected endpoints to prevent propagation.

Takeaway for CISO:

This breach highlights the critical need for stringent access control and proactive phishing defenses in the healthcare services sector. CISOs must prioritize zero trust architectures and continuous monitoring to mitigate both data exfiltration and ransomware encryption risks. Investing in employee cybersecurity training can reduce phishing success rates, while robust backup strategies ensure business continuity.