Aussie Beer and Milk Producer the Target of International ‘Ransomware Gang’

Aussie Beer and Milk Producer the Target of International ‘Ransomware Gang’
Image: Getty Images

Australian beer and milk production is the target of an international ransomware gang after Lion, the maker of popular beer brands such as XXXX and James Squire, shut down its IT systems and ceased manufacturing earlier this month.

The initial attack occurred on June 9 and was first reported by the Sydney Morning Herald. It caused the company to shut down its IT system and temporarily cease manufacturing until it had been fully investigated. Lion said while the attack could affect Australian supplies of beers, such as Little Creatures and Hahn, as well as its Pura milk and Berri and Just Juice brands, it had enough stocks in storage due to coronavirus restrictions.

At the time, those behind the attack were unknown but Lion has since confirmed it was the result of a ransomware attack and is working to restore its systems, which have remained shut since.

“Our investigations have shown that a partial IT system outage at Lion is a result of a ransomware attack. In response, we immediately shut down key systems as a precaution,” a June 15 statement by Lion said.

“Our IT teams and expert cyber advisors have continued working throughout the weekend to investigate this incident, working to bring systems back online safely.”

Gizmodo Australia has contacted Lion to understand what the ransomware attackers are demanding and if it has engaged the help of Australian Signals Directorate’s Australian Cyber Security Centre.

It’s alleged the culprits behind the attack are an infamous ransomware gang called REvil, according to iTWire, who are demanding the manufacturer hand over $US800,000 (nearly $1.17 million) for the de-encryption and secure return of Lion’s documents. If Lion doesn’t comply, the hackers claim they will sell the documents to the highest bidder.

It’s not known exactly what documents the hackers allegedly hold but iTWire reports a source claims it’s the company’s financial information as well as clients’ personal information.

REvil, also known as Sodinokibi, has gained notoriety for its aggressive targeting of companies and personalities around the world. Earlier in June, it launched an auction site to sell the stolen data, per a ZDnet report. Its first auction included the data of a Canadian agricultural firm but, perhaps more notably, its also alleging to have sensitive files from a New York law firm, which includes the private legal documents of pop star Madonna.

Its also known to have used similar tactics to attack Travelex, a U.K. foreign exchange company.

In April 2020, Microsoft’s Threat Protection Intelligence Team acknowledged the existence of the ransomware gang, which is known to attack Windows-operating systems.

“REvil (also called Sodinokibi) gained notoriety for accessing MSPs [managed service providers] and accessing the networks and documents of customers — and selling access to both,” its threat assessment read.

“REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups.”

It’s part of the reason the ransomware has been so aggressive. According to Kaspersky’s Kieran Cook, it’s also due to the ransomware’s adaptability.

“I think REvil has been particularly prominent due to the ease of accessibility, as its backend is an RaaS [Ransomware-as-a-Service]. The services behind the ransomware are being continually refined and perfected to the point that it is a highly deliverable, scalable and customisable service offered to which ever criminal syndicate or nation state wishes to leverage it,” Cook said to Gizmodo Australia in an email.

“This has simply boosted their technique, confidence and adrenaline over the years to keep going after larger sums.”