On June 25, 2026, the Qilin ransomware group claimed responsibility for a cyberattack on ISOPLUS (isoplus.gr), a prominent Greek pharmaceutical company. The group has listed ISOPLUS on its leak site and is threatening to publish stolen data unless a ransom is paid, stating that "the full leak will be published soon, unless a company representative contacts us via the channels provided." The claim marks another instance of Qilin targeting the healthcare and pharmaceutical supply chain, a sector that holds high-value regulatory, patient, and proprietary data.
What Happened
Qilin added ISOPLUS to its dark web extortion portal on June 25, 2026, asserting that it had successfully compromised the company's network and exfiltrated sensitive data. As is typical of the group's double-extortion model, the public listing serves as both proof of compromise and a pressure tactic, giving the victim a narrow window to negotiate before the data is dumped publicly.
At the time of reporting, ISOPLUS had not issued a public statement confirming or denying the breach, and the full scope of the intrusion remains unverified. Qilin's claim has not yet been independently corroborated beyond the actor's own leak-site posting, which is standard for the early hours of a ransomware disclosure.
What Was Taken
Qilin has not yet published a detailed file tree or sample set, so the precise volume and contents of the stolen data are not confirmed. However, based on the group's established patterns and the nature of ISOPLUS's business, exposed data in pharmaceutical-sector breaches of this kind typically includes:
- Employee and corporate credentials
- Internal financial and operational records
- Regulatory, manufacturing, and quality-control documentation
- Supply chain and third-party vendor information
- Potentially patient-adjacent or distribution data subject to GDPR
The actor's "full leak" threat indicates a staged release strategy, where partial proof may surface first to validate the claim, followed by a complete dump if the ransom deadline passes without payment.
Why It Matters
Pharmaceutical companies sit at the intersection of critical infrastructure, regulated patient data, and intellectual property, making them especially attractive to extortion-focused threat actors. A breach at ISOPLUS carries downstream risk for distribution partners, healthcare providers, and patients across the Greek and broader European market.
Qilin (also tracked as Agenda) has matured into one of the more active ransomware-as-a-service operations, recruiting affiliates and frequently hitting healthcare targets where operational disruption increases the likelihood of payment. Under GDPR, any confirmed exposure of personal data could trigger mandatory breach notifications and regulatory scrutiny, compounding the financial impact of the incident well beyond any ransom demand.
The Attack Technique
The initial access vector for the ISOPLUS intrusion has not been disclosed. Qilin affiliates commonly gain entry through phishing, exploitation of exposed or unpatched perimeter services such as VPNs and remote-access gateways, and the use of valid credentials harvested by infostealer malware and sold on dark web markets.
Once inside, the group's affiliates typically conduct reconnaissance, escalate privileges, move laterally, and exfiltrate data before deploying encryption. The emphasis on data theft and public leak threats, rather than encryption alone, reflects the modern extortion playbook where stolen data is the primary point of leverage.
What Organizations Should Do
- Validate and isolate backups: maintain current, encrypted, offline, and immutable backups so that recovery is possible without paying a ransom.
- Run a compromise assessment: investigate for initial access, lateral movement, exfiltration, and persistence mechanisms across the environment.
- Enforce MFA and rotate credentials: require multi-factor authentication on all external access points and reset credentials that may be exposed in infostealer logs.
- Monitor dark web and leak-site activity: track ransomware portals, stolen-credential markets, and malware log dumps for early signs of exposure tied to your domains and personnel.
- Patch internet-facing systems: prioritize VPNs, remote-access gateways, and other perimeter services that are frequent ransomware entry points.
- Engage professional responders early: involve incident response, threat intelligence, and legal counsel before any contact with the threat actor.
Sources: Qilin Ransomware Targets Greek Pharma Leader ISOPLUS - DeXpose