Italian liquor giant Campari Group recently suffered a successful Ragnar Locker ransomware attack that involved hackers exfiltrating up to 2TB of company data that included bank statements, employee records, and celebrity agreements.
On Tuesday, Campari Group issued a statement about the cyber attack, stating that the attack presumably took place on 1st November and forced it to quickly isolate its computer systems and servers to prevent the malware from spreading across the entire network.
“The company has implemented a temporary suspension of IT services, as some systems have been isolated in order to allow their sanitation and progressive restart in safe conditions for a timely restoration of ordinary operations. At the same time, an investigation into the attack was launched, which is still ongoing,” the company said.
A ransom note sent by the Ragnar Locker ransomware gang to the Campari Group was recently accessed by Bleeping Computer who said the note was discovered by security researcher Pancak3. In the note, the hacker group said it exfiltrated more than 2TB of company data that included bank statements, employee records, celebrity agreements, licensing certificates, government letters, accounting files, and agreements and contracts with importers, resellers, and distributors.
The Ragnar Locker gang said it expected to company to quickly contact it via live chat to make a deal, failing which it would either publish all the stolen data or sell the data through an auction to third parties. Campari Group was also promised “a very special price” by the hackers if it contacted them within two days of receiving the note.
According to Pancak3, the Ragnar Locker gang is demanding as much as $15 million from Campari Group after encrypting a majority of the company’s servers located across 24 countries. The ransom demand may not be surprising as the group earned revenue of €1,842.5 million worldwide in 2019 and has operations in a large number of regions and countries.
Commenting on the Ragnar Locker attack targeting Campari Group’s servers, Raif Mehment, VP EMEA at Bitglass said that for Campari Group, not only is there the demand of $15 million (should they choose to pay the ransom) but there is the cost of downtime, lost sales opportunities, damage to brand reputation and potential fines for non-compliance that could come into play.
“Ransomware is one of the fastest-growing malware threats and this case is just one of many that demonstrates that most companies today are not prepared for a ransomware attack – let alone disaster recovery after the fact.
“Organisations should always take a comprehensive view of their security – evaluate all services in use and the gaps most likely to pose a risk to corporate data. Organisations need to leverage security solutions that can identify and remediate both known and zero-day threats on any cloud application or service, and protect managed and unmanaged devices that access corporate resources and data. It’s also crucial that organisations ensure their employees have appropriate security training to identify illegitimate emails and phishing attempts, one of the primary vectors for ransomware attacks,” he added.
Joseph Carson, Chief Security Scientist at Thycotic, said that while Campari Group have opted to restore systems rather than pay the ransom – which is positive news – it still appears that systems continue to be unavailable for the 5th day now which includes websites, email and phone systems. It is critical that companies have backup plans, and it is also important to have some automation in place and have the plan tested and ready.
“One thing that will surely continue to slow incident response is the ongoing COVID-19 pandemic which will make the restoring process slower while trying to keep the health of employees as a top priority. To help with such challenges, companies must also have a solid privileged access management capability so that employees can restore and recover systems remotely without putting their health at risk,” he added.