The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Ransomware Crew Ravages Liquor, Wine Company

by Chris Brook on Wednesday August 19, 2020

Contact Us
Free Demo

The parent company of some of the biggest names in liquor, including Jack Daniel's, was hit by ransomware, allowing attackers to steal 1 TB of data.

Hackers had a field day earlier this year digging through directory trees, files, and folders belonging to a wine and liquor giant. Now the group plans to auction the data off to the highest bidder - and leak the rest.

According to cybersecurity news site Bleeping Computer, the operators behind the ransomware as a service REvil claimed last week to have compromised Brown-Forman, a Kentucky-based wine and spirits company that counts Jack Daniel's, Woodford Reserve, Finlandia, Korbel, and Chambord among its brands.

A spokesperson confirmed the attack with the publication last week: "Unfortunately, we believe some information, including employee data, was impacted. We are working closely with law enforcement, as well as world-class third-party data security experts, to mitigate and resolve this situation as soon as possible."

The publication cites a post published to REvil's leak site in which the ransomware crew claims to have spent more than a month inside the company's system, tracking Brown-Forman’s user services, cloud data storage, and structure. It posted screenshots of files, conversations between employees, and some documents that are more than a year old to the leak site.

In all, the hackers claim to have 1 TB nestled away, including "confidential information about employees, company agreements, contracts, financial statements, and internal correspondence."

The spirits manufacturer is the latest victim of REvil, a ransomware group that’s also known as Sodin or Sodinokibi.

Auctioning off company data and publishing sensitive files - in an attempt to strong arm companies into paying the ransom demand - has unfortunately become one of the group’s calling cards. Earlier this summer the hackers advertised that the group was selling files stolen from a Canadian agricultural company that failed to pay its ransom demands.

While ordinarily ransomware encrypts victim data, that wasn't the case in this instance. The company told Bleeping Computer that it was able to detect the attack and stop it before the data was locked. The company does suspect that the attackers were able to exfiltrate the data from its systems however - something that would partially explain the screenshots it advertised.

It sounds like Brown-Forman is intent on waiting out REvil's attempt to get it to pay a ransom; the company told the publication there were no active negotiations. That should prevent the company from digging into its wallet. Security researchers said earlier this year that the average ransom demand for a REvil ransomware infection costs a pretty penny: $260,000.

The group has infected companies around the globe this summer. It hit a Spanish state railway company, Adif, last month, in addition to an Argentinian ISP,  Telecom Argentina, a Mexican bank, CIBanco, and at the beginning of this year, a foreign exchange company Travelex, forcing the company into bankruptcy.

Tags: Ransomware

Recommended Resources

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.