[BreachExchange] U.S. spirits and wine giant hit by cyberattack, 1TB of data stolen

[Destry Winant]

https://www.bleepingcomputer.com/news/security/us-spirits-and-wine-giant-hit-by-cyberattack-1tb-of-data-stolen/

Brown-Forman, one of the largest U.S. companies in the spirits and
wine business, suffered a cyber attack. The intruders allegedly copied
1TB of confidential data; they plan on selling to the highest bidder
the most important info and leak the rest.

Headquartered in Louisville, Kentucky, the company holds world-known
whiskey and scotch brands like Jack Daniel's, Woodford, Old Forester,
Collingwood, Glenglassaugh, and Glendronach; Herradura, El Jimador,
and Pepe Lopez tequila; Finlandia vodka, and Sonoma-Cutrer wines.

Documents old and new, backups

Sodinokibi (REvil) ransomware operators announced on Friday that they
had compromised Brown-Forman's computer network and spent more than a
month examining user services, cloud data storage, and general
structure.

Following the incursion, the attackers claim they stole 1TB of data
that includes confidential information about employees, company
agreements, contracts, financial statements, and internal
correspondence.

In a post on their leak site, REvil published multiple screenshots
with directory trees, files with names that appear to support their
claims, and internal conversations between some employees. The pics
show documents dating as far back as 2009.

The actor also published screenshots of database backup entries as
recent as July 2020, suggesting that the intruder had plenty of time
to roam the network.

Ransomware failed to encrypt devices

The company confirmed the attack for BleepingComputer, adding that
there is a strong suspicion that data was stolen from their systems.

"Unfortunately, we believe some information, including employee data,
was impacted. We are working closely with law enforcement, as well as
world-class third-party data security experts, to mitigate and resolve
this situation as soon as possible," the Brown-Forman spokesperson
told us.

At this moment, there are no active negotiations with the attacker,
the company told BleepingComputer. Leaking and auctioning the files is
an attempt from REvil to squeeze Brown-Forman into paying a ransom. In
exchange, the actor promises to delete all copies of the data and not
use it in the future.

Although the final step in a ransomware attack is to encrypt data,
REvil did not get to deploy this routine. Brown-Forman detected the
attack and stopped it before data was locked, a company representative
told BleepingComputer.

"Brown-Forman was the victim of a cybersecurity attack. Our quick
actions upon discovering the attack prevented our systems from being
encrypted" - Brown-Forman spokesperson

REvil is now beating the drum about this data trove hoping that they
would force a payment or get a higher price in an auction. They say
that it contains details about the company's corporate clients and
could be useful for investors and competition.

"We still believe in the prudence of BROWN-FORMAN and are waiting for
them to continue their discussion of a way out of this situation" -
REvil posted.

Brown-Forman, however, does not seem willing to restart discussions with REvil:

"Protecting the privacy and security of personal information is
extremely important to us. The Company deeply regrets any
inconvenience or concern this may cause. Keeping information secure is
a priority for Brown-Forman. We know this news comes at an already
challenging time and may be disconcerting given the uncertainty of the
situation."