West Pharmaceutical Services has disclosed a ransomware attack that disrupted manufacturing, shipping, and receiving operations across multiple global facilities after bad actors breached the company’s network on 4 May.
The pharmaceutical packaging manufacturer said attackers exfiltrated data and encrypted systems, forcing the company to proactively shut down portions of its infrastructure to contain the incident.
“We continue to make good progress in the restoration of our systems. Our outside counsel promptly engaged Palo Alto Networks Unit 42 to support the Company’s investigation, containment, and recovery efforts, in coordination with other external experts,” the company added.”
It said it has restored its core enterprise systems, and critical processes for shipping, receiving, and manufacturing have restarted at some sites with restoration at remaining sites ongoing. “This is a 24/7 effort and top priority for our entire organization.”
In a letter posted on its website, West said based on the forensic evidence reviewed and the threat hunting activities performed across the environment, no persistent activity has been identified. The incident has only impacted domain-joined devices of West Pharmaceutical Services.
Also, all known indicators of compromises associated with this incident are in the process of being successfully identified and addressed.
“Unit 42 has engaged with a global restoration service to assist with recovery of the identity infrastructure and has reported that existing accounts have been secured,” the letter read.
“We remain steadfast in our commitment to supporting our customers and the critical role of our products to improving patients’ lives across the globe.”
West said it will continue to provide timely updates as additional information becomes available.
Target selection follows market logic
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, at Suzu Labs, said: “Ransomware has completed its transition from disparate criminal hackers into a full industry. According to Chainalysis, claimed attacks surged 50% in 2025 across as many as 85 active extortion groups competing for victims.”
He said these groups run affiliate programs with revenue sharing and dedicated support infrastructure. “Target selection follows market logic, and a manufacturer that produces the injectable packaging and delivery systems drug companies depend on to get medication to patients cannot absorb extended downtime without that disruption cascading downstream.”
Treat ransomware as an operational assumption and invest accordingly
Krell said businesses occupying critical supply chain positions should treat ransomware as an operational assumption and invest accordingly. That means blast radius reduction and validated recovery capabilities, supported by proactive threat hunting. Perimeter defense alone is insufficient when adversaries operate with the speed and specialization of a professional operation.
“West’s SEC filing notes the company is still investigating what data was compromised. That uncertainty is a data inventory problem, and most organizations share it regardless of sector. They can tell you systems are down. Fewer can tell you exactly what data sat in those systems and who it affects. That gap extends every phase of incident response from materiality determination to customer notification. Complete data inventory is what allows an organization to answer the first question every board and every regulator will ask after a breach. What was taken.”
Forcing a proactive global shutdown
Damon Small, Board of Directors, at Xcape Inc, added: “The West Pharmaceutical attack is a direct hit on the “sterile core” of the global drug supply chain. By forcing a proactive global shutdown of manufacturing and shipping, the attackers didn’t just lock servers; they paralyzed the delivery mechanism for approximately 70% of the world’s injectable drugs. This incident demonstrates that in high-stakes manufacturing, the “proactive shutdown” is often as disruptive as the malware itself, creating a massive backlog in a sector where sterile integrity and just-in-time delivery are non-negotiable.
“This breach proves that for critical suppliers, operational downtime is a secondary threat compared to the quiet extortion of proprietary IP. The absence of a public leak site listing suggests West is likely negotiating to protect specialized packaging designs and shipping manifests that represent a single point of failure for giants like Pfizer and Moderna. Restoration of enterprise systems is only half the battle; the “phased” restart of global factories reveals a deep distrust in the underlying OT segmentation that allowed a corporate IT breach to reach the production line.
Start demanding proof of “clean room” recovery environments
To do better, Small says security teams must stop treating supply chain risk as a paperwork exercise and start demanding proof of “clean room” recovery environments from their Tier-1 vendors. “Defenders should prioritize isolating the OT control plane from the business network with strict, unidirectional gateways and move toward immutable, off-site backups that can survive a global “kill switch” event. A reference architecture – the Purdue Model – that describes in detail how to accomplish this has existed since 1995 so there is little excuse for not understanding these concepts.
He believes true resilience in the pharmaceutical space requires a shift from reactive containment to a proactive architecture where the loss of an IT domain controller doesn’t result in a worldwide manufacturing cardiac arrest. “In manufacturing, a “phased restoration” is usually just corporate-speak for “we paid the ransom, and now we’re just waiting for the hackers to give us our factory back.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.