Could this ransomware attack have been prevented?

While no system is entirely immune, implementing robust cybersecurity measures, regular system audits, employee training, and proactive threat detection can significantly reduce the risk of such attacks.

West Pharmaceutical Services Ransomware Attack Disrupts Global Operations

In May 2026, West Pharmaceutical Services faced a ransomware attack leading to data exfiltration and system encryption, causing significant operational disruptions.

Published: May 13, 2026

Share this on:

Executive Summary

In May 2026, West Pharmaceutical Services, a leading manufacturer of pharmaceutical packaging and delivery systems, experienced a significant ransomware attack. Detected on May 4, the attack involved unauthorized data exfiltration and system encryption, leading the company to proactively shut down and isolate affected on-premise infrastructure globally. This containment measure temporarily disrupted business operations worldwide. The company engaged Palo Alto Networks' Unit 42 for incident response and notified law enforcement. As of May 11, core enterprise systems had been restored, and critical shipping, receiving, and manufacturing processes had restarted at some sites; however, a complete restoration timeline had not been finalized. The financial impact of the incident remains under assessment. This incident underscores the escalating threat of ransomware attacks targeting critical infrastructure sectors, including pharmaceutical manufacturing. Organizations in these sectors must prioritize robust cybersecurity measures, incident response planning, and employee training to mitigate the risk of such disruptive attacks.

Why This Matters Now

The West Pharmaceutical Services ransomware attack highlights the increasing frequency and sophistication of cyberattacks targeting critical infrastructure sectors. As these attacks can disrupt essential services and supply chains, it is imperative for organizations to enhance their cybersecurity posture and resilience strategies to prevent and respond to such incidents effectively.

Attack Path Analysis

The attackers gained initial access to West Pharmaceutical Services' network, escalated privileges to access sensitive data, moved laterally to identify and exfiltrate critical information, established command and control channels to manage the attack, exfiltrated data before deploying ransomware, and finally encrypted systems to disrupt operations.

Kill Chain Progression

Initial Compromise

Lowinferred

Privilege Escalation

Lowinferred

Lateral Movement

Lowinferred

Command & Control

Lowinferred

Exfiltration

Lowinferred

Impact

High

Initial Compromise

Description

Attackers gained initial access to the network through an unspecified method.

Confidence:

Low

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Execution

T1059

Command and Scripting Interpreter

Impact

T1486

Data Encrypted for Impact

Exfiltration

T1567

Exfiltration Over Web Service

Command and Control

T1071

Application Layer Protocol

Impact

T1490

Inhibit System Recovery

Defense Evasion

T1562

Impair Defenses

Collection

T1213

Data from Information Repositories

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Malware Protection

Control ID: 6.4.3

The attack involved system encryption and data exfiltration, indicating potential deficiencies in malware protection mechanisms.

NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information

Control ID: 500.15

The exfiltration of sensitive data suggests that nonpublic information may not have been adequately encrypted, violating data protection requirements.

DORA – ICT Risk Management Framework

Control ID: Article 10

The incident highlights potential weaknesses in the organization's ICT risk management framework, as evidenced by the successful cyberattack.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

Unauthorized access leading to data exfiltration and system encryption indicates possible lapses in identity and access management controls.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The breach suggests that the organization may not have implemented appropriate cybersecurity risk management measures as required.

ISO 27001 – Information Backup

Control ID: A.12.3.1

The encryption of systems and data exfiltration indicate potential shortcomings in information backup and recovery procedures.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Pharmaceuticals

West Pharmaceutical's ransomware breach highlights critical vulnerabilities in pharmaceutical manufacturing systems, threatening drug delivery supply chains and HIPAA-regulated patient data.

Health Care / Life Sciences

Healthcare sector faces elevated ransomware risks targeting medical device manufacturers, with potential disruption to injectable drug packaging and containment systems.

Biotechnology/Greentech

Biotech companies using similar manufacturing infrastructure vulnerable to lateral movement attacks targeting specialized drug delivery and containment system production capabilities.

Medical Equipment

Medical equipment manufacturers at risk from ransomware targeting production systems for syringes, vials, and specialized drug delivery devices critical to healthcare.

Sources

West Pharmaceutical says hackers stole data, encrypted systemshttps://www.bleepingcomputer.com/news/security/west-pharmaceutical-says-hackers-stole-data-encrypted-systems/
Verified

West Pharmaceutical Services Hit by Disruptive Ransomware Attackhttps://www.securityweek.com/west-pharmaceutical-services-hit-by-disruptive-ransomware-attack/

Verified

West Pharmaceutical Services reports cybersecurity incident affecting operationshttps://m.investing.com/news/sec-filings/west-pharmaceutical-services-reports-cybersecurity-incident-affecting-operations-93CH-4678506?ampMode=1

Verified

Frequently Asked Questions

The attack revealed potential vulnerabilities in data protection and incident response protocols, emphasizing the need for stringent compliance with cybersecurity standards and regulations.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Implementing Aviatrix Zero Trust CNSF would likely have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While initial access may still occur, CNSF would likely limit the attacker's ability to exploit this access further.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing strict access controls.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security would likely restrict the attacker's ability to move laterally by controlling internal communications.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control would likely detect and limit unauthorized command and control communications.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by controlling outbound traffic.

Impact (Mitigations)

While system encryption may still occur, prior controls would likely limit the attacker's ability to reach critical systems.

Impact at a Glance

Affected Business Functions

Manufacturing Operations
Shipping and Receiving
Enterprise Systems

Operational Disruption

Estimated downtime: 14 days

Financial Impact

Estimated loss: N/A

Data Exposure

The specific categories of data exfiltrated have not been disclosed.

Recommended Actions

• Implement Zero Trust Segmentation to limit lateral movement within the network.
• Enhance East-West Traffic Security to detect and prevent unauthorized internal communications.
• Deploy Egress Security & Policy Enforcement to monitor and control data exfiltration attempts.
• Utilize Multicloud Visibility & Control to gain comprehensive insights into network activities.
• Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious behaviors promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

West Pharmaceutical Services Ransomware Attack Disrupts Global Operations

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Valid Accounts

Command and Scripting Interpreter

Data Encrypted for Impact

Exfiltration Over Web Service

Application Layer Protocol

Inhibit System Recovery

Impair Defenses

Data from Information Repositories

Potential Compliance Exposure

PCI DSS 4.0 – Malware Protection

NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

ISO 27001 – Information Backup

Sector Implications

Pharmaceuticals

Health Care / Life Sciences

Biotechnology/Greentech

Medical Equipment

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads