[BreachExchange] Attackers give Lion deadline for paying ransom of US$800, 000 Featured

Destry Winant destry at riskbasedsecurity.com
Thu Jun 18 10:20:29 EDT 2020


Australian drinks manufacturer Lion is facing a ransom demand of
US$800,000 to decrypt its files from a group that used the REvil
ransomware to attack the company's site.

Security sources have told iTWire that the group has given Lion time
until 19 June to pay up, and threatened to double the ransom after
that. The attackers have not yet made their demands public.

Lion, which also operates in New Zealand, is a subsidiary of the
Japanese beverage giant Kirin. According to Wikipedia, it has about
7000 employees and its 2015 revenue was $5.6 billion.

The company first revealed that its systems had been attacked on 9
June and has been providing regular updates, the latest being on 15

In that update, Lion said: "Our investigations have shown that a
partial IT system outage at Lion is a result of a ransomware attack.
In response, we immediately shut down key systems as a precaution.

A screenshot of the ransom demand.

"Our IT teams and expert cyber advisers have continued working
throughout the weekend to investigate this incident, working to bring
systems back online safely.

"We have made good progress. However, there is still some way to go
before we can resume our normal manufacturing operations and customer

The note also said that it was running short of product. "Across our
Australian and New Zealand adult beverages businesses, we continue to
have limited visibility of our products in our systems," the note

"We’re working to bring our breweries back online as soon as possible,
hoping to get a number of our breweries back up and running very

REVil, which is also known as Sodinokibi, attacks systems running
Microsoft's Windows operating system.

It is one of the growing number of ransomware packages that first
exfiltrates files on a victim's system and then encrypts them on-site.

A ransom note is then generated, with instructions provided as to how
payment can be made, generally in cryptocurrencies.

If the victim does not pay by the deadline, then files are slowly
leaked on the dark web in small amounts as a bargaining tactic.

REvil recently started another way of making money off the data it
steals, in the event that the ransom is not paid. It puts up the data
for auction.

Contacted for comment, ransomware threat researcher Brett Callow said:
"Like multiple other groups, REvil steals data and uses the threat of
its release — or, in some cases, auction — as additional leverage to
extort payment."

Callow, who works for the New Zealand-headquartered security outfit
Emsisoft, added: "Companies in this situation are without a good
option. They've been breached, and paying the ransom does not change
that. Giving in to the group's demands will simply result in a pinky
promise that the stolen data will be destroyed and misused – but, as
it's coming from criminals, that pinky promise carries little weight."

More information about the BreachExchange mailing list