Ransomware Hits West Pharmaceutical, Disrupts Global Operations

West Pharmaceutical Services, a major supplier of drug packaging and delivery components, disclosed a ransomware attack that has disrupted manufacturing, shipping, and receiving operations globally. The Pennsylvania-based company filed an 8-K with the SEC on Monday evening acknowledging the incident.

Attackers breached West Pharmaceutical on May 4, exfiltrated data, and deployed file-encrypting ransomware. The company took systems offline worldwide as a containment measure—a decision that halted critical processes across multiple sites.

What We Know

According to the SEC filing, West Pharmaceutical detected unauthorized access on May 4 and immediately activated incident response protocols. The company:

• Shut down and isolated affected on-premise infrastructure
• Restricted access to enterprise systems globally
• Engaged Palo Alto Networks' Unit 42 for investigation and containment
• Notified law enforcement

The filing confirms data exfiltration occurred before encryption, the hallmark of modern double-extortion ransomware. West Pharmaceutical hasn't disclosed what information was stolen or whether it affects customer, employee, or patient data.

Ongoing Restoration

Core enterprise systems have been restored, and critical shipping, receiving, and manufacturing processes have restarted at some sites. Other facilities remain offline. The company acknowledges it hasn't finalized a complete restoration timeline.

"The incident and the Company's proactive response have temporarily disrupted the Company's business operations globally," West Pharmaceutical stated in the filing.

Financial impact remains undetermined. The company is working through business continuity plans to minimize delays for customers—a significant concern given West Pharmaceutical's role in pharmaceutical supply chains.

No One's Claimed Responsibility

As of Tuesday, no ransomware group has publicly claimed the attack on their leak site. That silence could mean several things: negotiations are ongoing, a ransom was paid, or the attackers are waiting for maximum leverage.

The lack of attribution stands in contrast to recent high-profile attacks where groups like ShinyHunters immediately publicized victims. West Pharmaceutical noted it has taken "steps intended to mitigate the risk of dissemination of the exfiltrated data"—language that often accompanies ransom negotiations.

Why Pharma Supply Chains Matter

West Pharmaceutical isn't a household name, but its products touch nearly every major drug manufacturer. The company produces injectable drug containers, delivery systems, and components used globally. Disruptions here ripple through pharmaceutical production.

Healthcare and pharma remain prime ransomware targets. The sector's operational urgency—patient care can't pause for IT recovery—creates pressure to pay. For organizations in this space, our ransomware defense guide covers the fundamentals of preparation and response.

The Bigger Picture

This attack follows a brutal Q1 2026 for ransomware victims. According to Check Point Research, 2,122 organizations appeared on ransomware leak sites in the first quarter—the second-highest Q1 on record.

Ransomware operators increasingly target organizations with complex supply chain dependencies, knowing operational pressure will outweigh the cost of ransom demands. West Pharmaceutical fits that profile precisely.

Organizations watching this unfold should take it as a reminder: incident response planning and tested backups aren't optional. The attackers will find the operational chokepoints. For more on defending against these threats, visit our ransomware news section.