Italian spirits brand Campari has restored its company website following a recent ransomware attack. According to the ransom note, the group behind the breach used Ragnar Locker to encrypt most of Campari’s servers and was holding the data hostage for $15 million in Bitcoin.
Campari Group is behind liquor brands Aperol, SKYY, Grand Marnier and Wild Turkey. The company announced on Nov. 3 it was the victim of a Nov. 1 malware attack.
“The group’s IT department, with the support of IT security experts, immediately took action to limit the spread of malware in data and systems,” the Campari Group statement said. “Therefore, the company has implemented a temporary suspension of IT services, as some systems have been isolated in order to allow their sanitation and progressive restart in safe conditions for a timely restoration of ordinary operations. At the same time, an investigation into the attack was launched, which is still ongoing. It is believed that the temporary suspension of the IT systems cannot have any significant impact on the Group’s results.”
Malware researcher Pancak3 shared a copy of the ransom note with Threatpost.
The ransom note. Source: Pancak3.
“We have BREACHED your security perimeter and get [sic] access to every server of the company’s network in different countries across all your international offices,” the note reads, in part. It goes on to detail the types of data compromised, including accounting files, bank statements, employee personal information and more. The note said the scammers were able to steal a total of 2TB of data.
“If no deal is made than [sic] all your data with be published and/or sold through an auction to any third parties,” the note threatens.
Compromised documents posted on a leak site for the group included a contract between Wild Turkey and actor Matthew McConaughey, according to ZDNet, as proof they had the goods.
Campari Group has not responded to Threatpost’s request for comment.
“The operators are professionals,” Pancak3 told Threatpost. “They have good knowledge of penetration tactics that enable them to gain initial entry, perform recon, and steal data prior to deploying their ransomware. Back in April they first started their public shaming site, “WALL OF SHAME,” to post details of non-paying victims. It’s believed that Ragnar Locker partnered with Maze operators earlier this year.”
Ragnar Locker ransomware, Pancak3 added, is a relatively new malware written in C and C++.
“(It was) first was observed in late 2019,” Pancak3 explained. “Ragnar Locker allows operators to customize the way it behaves on the infected host.”
The Capari compromise looks almost identical to the Capcom Ragnar Locker attack, according to Pancak3.
In that attack, Ragnar Locker was also reportedly used this week to attack Japanese gaming juggernaut Capcom, to steal data from networks in the U.S., Japan and Canada. And Pancak3 noticed some similarities between the two attacks.
“The executables for both Capcom and Campari are signed with the same cert.,” he told Threatpost. Adding, it shows that the group is getting a bit complacent.
“I think it shows that they are confident in their intrusion methods,” Pancak3 said.
Ransomware attacks have been on the rise since the beginning of the pandemic last spring. Last July, SonicWall’s 2020 Cyber Threat Report said ransomware attacks have more than doubled over last year.
“As we’ve seen with Campari and many others, ransomware continues to be a significant threat to organizations large and small,” Wade Lance, CTO at Illusive Networks said via email. “Cybercriminals only need to get lucky once when they attack with ransomware to be successful. On the other hand, large organizations must stop every attempted cyberattack aimed at them, and if they are wrong even once the consequences are catastrophic.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.