A manufacturer of devices used in heart surgeries says it's dealing with "a cybersecurity incident" that bears all the hallmarks of a ransomware attack.
Artivion, which is listed on the New York Stock Exchange, said the incident took place on November 21 and "involved the acquisition and encryption of files."
In plain terms, it means attackers broke in, stole data, and locked the company out of at least some of its files. The company doesn't mention it specifically, but the description sounds like a classic case of double extortion ransomware.
It said in a [filing](https://www.sec.gov/Archives/edgar/data/784199/000078419924000253/aort-20241209.htm) with the Securities and Exchange Commission: "Artivion identified and began taking measures to address a cybersecurity incident on November 21, 2024. Artivion's response measures included taking certain systems offline, initiating an investigation, and engaging external advisors, including legal, cybersecurity, and forensics professionals to assess, contain, and remediate the incident.
"The company is working to securely restore its systems as quickly as possible and to evaluate any notification obligations."
At the time of writing, no established ransomware gang has taken credit for the attack. In scenarios where an attack was carried out by a known group and the victim hasn't yet appeared on its data leak site, it typically means the two sides are still negotiating over the attacker's ransom demands.
A double extortion scenario involves multiple, escalating phases of pressure applied to victims to ensure payments are made quickly. First, the attack is claimed, then if the crooks stole any data, they may additionally post a sample of it online to prove their claims are genuine. The final threat is to post all files that were stolen, which carries the threat of regulatory and reputational harm to the victim.
The US Cybersecurity and Infrastructure Security Agency (CISA) officially advises against paying ransoms at all costs. Not only do these payments directly fund crime, but they also don't guarantee criminals' promises to delete the data they stole will be honored, as [evidenced by the LockBit leaks](https://www.theregister.com/2024/06/06/lockbit_fbi_decryption_keys/) this year.
Artivion added that the incident is still causing disruptions to order and shipping processes, as well as "certain corporate operations," although these have been largely mitigated.
Finances shouldn't be an issue, however, since the company expects its cyber insurance to be adequate to cover most expenses, although Artivion acknowledged it will continue to incur additional costs that are out of scope of its coverage as remediation efforts continue.
The company added that the incident hasn't yet had, or is not yet expected to have, a material impact on its finances, but the situation "remains subject to various risks ... including the impact of delays in restoration, and, as a result, cannot provide assurances that the incident will not be determined to have a material impact in the future."
Artivion's financial year ends on December 30, but the company recently posted its third-quarter revenues, which amounted to $95.8 million – up from $87.9 million in the third quarter of 2023.
Its products support heart and vascular surgeries and include heart valves, aortic arches, and stent grafts. It also offers a wide range of cryogenically preserved cardiac and vascular allografts – donor tissues that are preserved and later thawed for use in surgeries. ®