Indiana-based pharmaceutical research firm Inotiv recently confirmed that personal information belonging to more than 9,500 individuals was stolen in a ransomware attack that occurred back in August 2025. The breach, which the company just started notifying people about in early December, highlights ongoing security challenges facing contract research organizations handling sensitive drug development data.
What Happened
Between August 5 and 8, attackers gained unauthorized access to Inotiv’s systems and encrypted certain networks and data. The company discovered the breach on August 8 and immediately took systems offline while launching an investigation with external cybersecurity experts and notifying law enforcement.
The attack disrupted business operations and prevented access to internal databases and applications. In early December, Inotiv confirmed in regulatory disclosures that it had restored availability to its networks and systems.
The stolen data includes names, addresses, Social Security numbers, and financial and medical information belonging to current and former employees, their family members, and other individuals who’ve interacted with the company or firms it acquired.
Qilin Claims Responsibility
The Russia-based Qilin ransomware group claimed responsibility for the attack shortly after it occurred. On their dark web leak site, the group alleged they stole 176 gigabytes of data (roughly 162,000 files) and posted sample documents as proof. The listing has since been removed from their site, though it’s unclear whether this means a ransom was paid.
Qilin operates as a Ransomware-as-a-Service (RaaS), providing tools and infrastructure to affiliate cybercriminals in exchange for a cut of ransom payments (typically 15-20%). This business model has helped them become one of the most prolific ransomware operations worldwide.
The group has been particularly aggressive in 2025. Research from Comparitech indicates that Qilin has claimed over 700 victims this year alone, more than any other ransomware group. Healthcare organizations have been hit 45 times in 2025, with 14 confirmed attacks.
How Qilin Operates
Security researchers have identified several common tactics Qilin affiliates use:
Initial Access: The group primarily exploits vulnerabilities in Fortinet devices and Veeam Backup & Replication software. They also conduct brute force attacks on VPN devices and use compromised credentials purchased on the dark web.
Lateral Movement: Once inside, attackers use tools like PsExec and compromised domain credentials to move across networks. They’re known to disable security tools and delete system logs to avoid detection.
Double Extortion: Beyond encrypting data, Qilin affiliates exfiltrate sensitive information and threaten to publish it publicly. This adds pressure on victims who might otherwise restore from backups rather than pay.
Data Destruction: The ransomware deletes backups and shadow copies before encrypting files, making recovery significantly harder.
Recent analysis from Cisco Talos found that manufacturing has been Qilin’s primary target, but healthcare, financial services, and professional services firms face substantial risk.
Why Contract Research Organizations Make Attractive Targets
Inotiv specializes in drug development, discovery, and safety assessment for pharmaceutical and biotechnology companies. Organizations like this handle extremely valuable intellectual property: proprietary research data, clinical trial information, drug development pipelines, and regulatory documentation.
This type of data is worth a lot on the black market, and disruption to these operations can have cascading effects. Delayed research projects, interrupted drug development timelines, and compromised relationships with pharmaceutical clients create pressure to pay ransoms quickly.
The company reported revenue of $513 million in fiscal 2025 but posted an operating loss of $30.9 million, while carrying $402.1 million in debt. Financial strain often makes companies more vulnerable, as they may lack resources for robust security infrastructure.
What This Means for Affected Individuals
Inotiv is offering affected individuals 24 months of free credit monitoring and identity theft protection services. If you’re a current or former employee of Inotiv (or companies they’ve acquired), or if you’ve interacted with the company and receive a notification, you should:
- Enroll in the offered monitoring services
- Watch for suspicious activity on credit reports and financial accounts
- Be alert for phishing attempts (scammers often target data breach victims)
- Consider placing a fraud alert or credit freeze with major credit bureaus
- Monitor medical records for signs of healthcare fraud
Broader Implications
This incident adds to a growing list of ransomware attacks targeting pharmaceutical and healthcare organizations. The contract research sector’s combination of valuable data, operational sensitivity, and sometimes limited security budgets makes it an attractive target.
Qilin’s success in 2025 stems partly from the disruption of other major ransomware operations like RansomHub, creating space for groups that can attract skilled affiliates. Their RaaS model, generous affiliate payouts (80-85% of ransoms), and cross-platform capabilities (targeting both Windows and Linux systems) have helped them recruit effectively.
The attack on Inotiv won’t be the last. Organizations handling sensitive research data need to prioritize security fundamentals: patch management (especially for VPN and backup software), multi-factor authentication, network segmentation, and robust backup strategies with offline copies that ransomware can’t reach.
Removing standing admin privileges can also limit ransomware damage. When malware runs with whatever permissions the compromised user has, local admin rights give it free rein to encrypt files and spread laterally. Just-in-time privilege elevation lets users perform necessary tasks without leaving those doors open permanently.
Ready to reduce your ransomware attack surface? Try our free plan (full features for up to 25 endpoints, no time limit) or book a demo to see how it works.
