The infamous ransomware group hit two big-name companies within hours of each other.
U.K.-based fashion brand French Connection, which advertises under the acronym “FCUK,” confirmed that it has been compromised by ransomware group REvil. Just hours later, Brazilian medical diagnostics firm Grupo Fleury announced it had the same misfortune.
The twin attacks reveal shifting strategies and motivations for one of the world’s most dangerous ransomware threat actors.
The prolific ransomware gang, which also goes by the moniker Sodinokibi, was able to breach French Connection’s back-end servers to steal the personal data of company executives.
The company confirmed the breach in a statement but stressed they have “no evidence” that customer data was compromised during the attack, adding that business is “continuing to operate largely as normal.”
Passport and identification card scans for the company’s top executives, founder and CEO Stephen Marks, CFO Lee Williams and COO Neil Williams, were among the stolen files, The Register confirmed.
“As soon as it became aware of the breach, the company took immediate action, suspending all affected systems and engaging third-party experts to assist with resolving the situation,” French Connection’s statement continued. “The company is now actively working to restore its systems as quickly and safely as possible, and where necessary, is using manual overrides in order to ensure that the company can continue to operate.”
Brazilian medical diagnostics firm meanwhile Grupo Fleury was hit with REvil ransomware on Tuesday and announced late on June 23 that it was working toward resuming operations.
REvil is demanding $5 million to send Grupo Fleury a decryptor, according to BleepingComputer.
What FCUK, Grupo Fleury Attacks Say About REvil
Jamie Hart, threat intelligence analyst with Digital Shadows, views the two REvil attacks slightly differently, explaining that the French Connection attack was likely one of opportunity, to prove any company can be breached, anywhere.
The attack on Grupo Fleury is part of a larger REvil campaign against Brazil-based companies. Hart said the ransomware group told the Russian-OSINT Telegram channel they wanted revenge against Brazil, but it’s not clear why.
“REvil’s (a.k.a. Sodinokibi) targeting of Grupo Fleury continues their campaign against Brazil-based organizations,” Hart told Threatpost. “REvil is known for exfiltrating data, and the data could include personally identifiable information (PII) and sensitive medical information of their patients and staff, which could be detrimental for the organization.”
Hart added that if REvil’s ransomware demands aren’t met, that data is likely to pop up on a leak site soon.
This shift in focus to internal employee data rather than customer information is new, Rita Gurevich, founder and CEO of SPHERE Technology, explained to Threatpost.
“A few years ago, ransomware was primarily focused on targeting consumers, but recently we have seen the switch to the more lucrative corporate arena,” Gurevich said. “These attacks have become more sophisticated, transitioning from the known phishing strategy using a bulk email approach, to a spear-phishing strategy which is highly targeted, harder to detect and has a much higher success rate.”
And while law enforcement has had some success with crackdowns on groups like Clop, ransomware tip-of-the-spear malware Emotet and Colonial Pipeline attacker DarkSide, she added that the ease with which an aspiring cybercriminal can get their hands on ransomware is fueling the rise of attacks.
REvil is getting increasingly brazen.
Is Ransomware Reveal Fatigue Real?
This steady drumbeat of ransomware headlines is contributing to what Dirk Schrader with New Net Technologies called “ransomware reveal fatigue.”
“It seems we need a hashtag like #ransomwarealertfatigue, or #raf,” Schrader told Threatpost. “FCUK was not the first, won’t be the last to get hit. Unfortunately, companies, normal users and perhaps also some security professionals will take limited or even no notice about it. IT security is already on high alert, and the other two groups seem to have adjusted to the problem with no intention to change their approach to the risk.”
Gurevich agreed, saying the federal government and security community are working together to flip companies’ posture from response to prevention.
Those organizations interested in shoring up cybersecurity defenses should start with “early steps in the cyber-kill chain,” Schrader added. “Limit reconnaissance on the infrastructure so that less or no information can be used to weaponize an attack against it, inhibit delivery of malware to reduce the attack surface for exploitation, and lastly detect any installation, any file dropped on a device, as being an unwanted change to the system’s status and integrity.”
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.