REvil operators threaten to leak files stolen from Australian firm Lion

Australian beverage company Lion announced that it has found no evidence that hackers have stolen information from its systems.

The Australian brewery and dairy conglomerate Lion suffered two cyber attacks in a few days this month.

Lion is a beverage and food company that operates in Australia and New Zealand, and a subsidiary of Japanese beverage giant Kirin. It produces and markets a range of beer, wine, cider, RTDs and spirits, as well as dairy and other beverages.

When the first attack took place, the systems at Lion were infected with the REvil ransomware and attackers demanded a ransom of reportedly $1 million last week. At the time of the first attack, the security breach caused the disruption of manufacturing processes and customer service.

On June 26, the company shared an update on the incident confirming that it has restored many key systems at its sites.

In an update shared on June 26, the company said it restored many key systems at breweries and dairy and juice sites.

“As we progress our recovery efforts, it is our number one priority to get back to our usual high standards of service levels before this cyber attack, and support our many valued business partners in what we hope will be a better second half of 2020.” reads the update published by the company.

“To date, we still do not have evidence of any data being removed. As we indicated last week, it remains a real possibility that data held on our systems may be disclosed in the future. Unfortunately, this is consistent with these types of ransomware attacks,”

“Our expert teams are continuing to do all they can to investigate this further and as previously stated, if we do identify any cases of data being taken or misused, Lion will contact the affected individuals directly.”

Lion did not share technical details of the attack, but REvil ransomware operators claim to have hacked the company and to have stolen its data before encrypting its systems.

REvil operators published on their leak site a message to the company, inviting it to contact the to pay the ransom to avoid the publishing of its files.

“otherwise all your financial, personal information your clients and other important confidential documents will be published or put up for auction.” reads the message.

As proof of the hack, the threat actors published some screenshots allegedly showing the data stolen from the company’s systems.

Some screenshots show that some of the folders are dated June 18, 2020, this means that the ransomware operators may have continued exfiltrating data more than a week after Lion discovered the security breach.

Last week, researchers from Symantec’s Threat Intelligence team reported that the REvil ransomware operators have been observed while scanning one of their victim’s network for Point of Sale (PoS) servers.

Sodinokibi ransomware operators are very active in this period, a few days after the gang has leaked the files allegedly stolen from the UK power grid middleman Elexon it has announced to launch an auction site to sell data stolen from victims that have chosen to not pay the ransom.

REvil ransomware operators focus on corporate networks that breach using exploits, launching brute-force attacks on Remote Desktop Protocol (RDP) servers, or compromising Managed Service Providers.

The group mainly targets large enterprise which is believed they would be willing to pay a large ransom to decrypt their systems. 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lion)

[adrotate banner=”5″]

[adrotate banner=”13″]