Werner Lanthaler rushed to the office the Friday before Easter after learning his biotech company Evotec had been hacked. The chief executive met with senior leaders, formed a crisis team and decided to shut down Evotec’s information-technology systems.
The drug discovery company’s business was at stake. Hamburg, Germany-based Evotec has more than 500 partners, including pharmaceutical and other biotech companies like Bayer, Bristol-Myers Squibb and Novo Nordisk.
Lanthaler knew ransomware could easily spread, encrypting or exposing business partners’ data. “It was maybe a 20-second discussion,” he said. “Shutting down was the only way to really protect our business model in the long run.”
It isn’t unusual for a company to stop operations out of caution during a cyberattack. Colonial Pipeline halted fuel transport as it dealt with ransomware in 2021. Hospitality chain Nordic Choice Hotels shut down reservations in 2022, also after a ransomware hit. Lost revenue, potential customer defection and supply-chain problems are viewed as worth it compared with the unknowns of a crippling hack.
Yet Lanthaler took an uncommonly active, public role in the cyber response at Evotec. He communicated personally with business partners, wrote an open letter about the attack in the midst of Evotec’s ordeal and held town-hall meetings with employees every few days to provide updates.
Lanthaler said Evotec’s handling of the cyberattack and decision to disclose details will help keep partners’ trust. “It’s also a clear differentiator probably, how we are dealing with that situation now into data security as a whole,” he said.
In a letter on Evotec’s website on April 19, two weeks after he shut down technology systems, Lanthaler pledged that “research never stops,” quoting the company’s motto. But Evotec operations did stop, in some areas for weeks.
Machines that normally run around the clock for proteomics, the study of cell structures for biomedicine, were interrupted and new control studies for drug discovery were paused. Yet some business partners that needed to complete studies quickly sought out other firms, said Matthias Evers, the company’s chief business officer.
These companies have since returned to Evotec, Evers said.
Lanthaler is convinced that his openness helped keep the business afloat. “You can’t give any guarantee when you are back to productivity, so the loyalty of our partners was immediately on our mind,” he said.
The company was temporarily delisted from indexes on the Deutsche Börse, the German stock exchange operator, because it couldn’t file an annual report by the end of April. The delisting didn’t stop trading of Evotec stock, and it has since been relisted.
To respond to the hack and analyze the damage, Evotec Chief Information Officer Hans-Ulrich Wolf and his team delved into the hackers’ tactics.
“Shutting down was the only way to really protect our business model in the long run. ”— Werner Lanthaler, chief executive of Evotec
Some of the hackers’ work was sloppy and indicated that multiple parties were involved in different stages of the attack, Wolf said during a webinar last week for business partners.
Even if the hackers were to provide tools for decryption, Wolf said he doubted they would work. Evers declined to comment on whether any ransom was demanded or paid, citing a continuing law-enforcement investigation.
The IT staff were able to reverse engineer parts of the encryption malware. Ransomware groups often split up an attack, selling malware to different hackers who all take a piece of the profit. Last year, the Federal Bureau of Investigation received 870 reports of ransomware attacks on critical infrastructure, including 210 in healthcare—the most-hit sector.
Companies in drug development, in particular, are heavily interconnected, making cyberattacks especially dangerous, said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center, a nonprofit group that facilitates the exchange of details between healthcare companies about cyber threats.
“Biotech organizations have many customers in the pharmaceutical space that are dependent on them to run a critical business process, so when they have a disruption they’re impacting upstream,” Weiss said.
In the weeks after the attack, Evotec’s bioinformatics experts and software developers stepped in, using their skills for cyber response, Lanthaler said. They analyzed malware and helped enroll colleagues in new IT systems as they came back online.
Two months after the attack, Evotec’s technology still isn’t completely restored, though it is clear, Lanthaler said, that the hackers went after financial and corporate data, but not clinical information.
Now, staff go through a painstaking process to secure all of the company’s data in a controlled, quarantined environment to make sure it is safe before they share any information with partners.
IT staff and external consultants set up a secure setting to contain all the company’s data, equipped with extra firewalls, antivirus software and scanners to detect indicators that hackers have returned, the company’s management board said in a letter to business partners in May.
Data that Evotec shares with business partners comes with proof that it is validated and safe, Evers said. With these additional security steps, the company isn’t as efficient as it was before the attack, but productivity is at a similar level, he said.
Evotec still hasn’t calculated lost revenue from the attack, and said it expects to pay tens of millions of euros to rebuild IT systems. “We [will] come back stronger than ever,” Lanthaler said.