Multi-Actor Ransomware Attacks: What Happened to Novo Nordisk?
Multi-actor ransomware attacks have become a serious cyber threat for organisations worldwide. In a recent case, Danish pharmaceutical giant Novo Nordisk was targeted by two separate threat groups, each demanding multi-million dollar ransoms. This incident highlights the increasing complexity and risk of ransomware incidents, particularly when more than one criminal group is involved.
In June 2026, FulcrumSec claimed to have breached Novo Nordisk, publishing details and data samples on their dark web leak site. Shortly after, a second individual or group also claimed responsibility for hacking the company, demanding a separate ransom. FulcrumSec reportedly demanded 50 million dollars, while the second threat actor requested 25 million dollars. According to reports, Novo Nordisk did not pay either group.
Why Multi-Actor Ransomware Incidents Matter
The Novo Nordisk case is a prime example of how modern ransomware attacks are evolving. Instead of dealing with a single adversary, organisations can now face overlapping or even competing extortion demands from multiple threat actors. This evolution presents several challenges for defenders and business leaders alike.
Increased Pressure and Confusion
When more than one group claims responsibility for a breach, the pressure on decision-makers rises sharply. Each group may threaten to leak sensitive data or escalate attacks if their demands are not met. This overlapping pressure can create confusion and uncertainty about the true scope of the breach and who actually has access to company data.
Potential for Greater Data Exposure
Multiple actors targeting the same organisation increases the risk that stolen data will be leaked, sold or used in further attacks. Even if a ransom is paid to one group, another may still possess or release the same information. In the Novo Nordisk case, data samples were reportedly published on leak sites, raising concerns about sensitive information entering the public domain.
Complex Incident Response
Multi-actor attacks complicate incident response and communication. Security teams must verify claims, manage negotiations and coordinate with law enforcement, all while handling internal and external communications. The potential for missteps grows as the situation becomes more complex and time-sensitive.
- Organisations may receive ransom notes from different groups for the same breach.
- Threat actors could release information at different times, prolonging the crisis.
- It is difficult to determine which group is the initial attacker and which are opportunists.
Key Lessons for Organisations: Responding to Multi-Actor Ransomware Threats
Incidents like the Novo Nordisk ransomware attack demonstrate the need for robust cyber resilience strategies. While no organisation can guarantee immunity from ransomware, several practical steps can improve readiness and response.
1. Prepare for Multiple Extortion Attempts
Security teams should anticipate the possibility of multiple demands and factor this into incident response planning. This includes establishing clear processes for validating claims, tracking communications from threat actors and assessing potential impacts.
- Maintain a central log of all ransom demands and related communications.
- Assign responsibility for verifying the authenticity of each claim.
- Work with legal counsel and cyber insurance providers early in the process.
2. Strengthen Technical Defences and Detection
Preventing initial access remains critical. Multi-actor incidents suggest that threat actors may exploit the same vulnerability or use leaked credentials from a previous attack. Regular vulnerability assessments, patch management and multi-factor authentication can reduce the risk of compromise.
- Conduct regular penetration testing and security reviews.
- Monitor for unusual user activity and signs of lateral movement.
- Ensure backup systems are isolated and tested for recovery readiness.
3. Focus on Communication and Crisis Management
Transparent and timely communication is vital during a ransomware crisis. Multi-actor attacks can generate confusion internally and externally. Organisations should develop crisis communication plans that include guidance for handling competing ransom demands and public disclosure of data breaches.
- Inform executive leadership and board members early in the process.
- Coordinate with law enforcement and regulatory authorities as required.
- Prepare statements for customers and partners in case of data exposure.
4. Learn from Incidents and Improve Continuously
After any security incident, review what worked and where processes can be improved. Update incident response playbooks to reflect the possibility of multi-actor ransomware attacks. Conduct tabletop exercises to test response to overlapping extortion scenarios.
- Debrief with all relevant teams after an incident.
- Share lessons learned with industry peers where appropriate.
- Review cyber insurance coverage for multiple extortion events.
Conclusion: Building Resilience Against Multi-Actor Ransomware
The Novo Nordisk case shows that ransomware actors are willing to target large organisations in parallel, hoping to increase pressure and confusion. Even when ransoms are not paid, data exposure remains a risk. A proactive, well-practised response plan is essential for minimising damage and recovering quickly.
Organisations should prioritise ransomware prevention, maintain clear lines of communication and rehearse their incident response for complex scenarios. By learning from cases like Novo Nordisk, business leaders and IT teams can strengthen their defences against the growing threat of multi-actor ransomware attacks.
Originally reported by databreaches.net.
