Ransomware, Content

REvil Ransomware Attacks Food Distributors; Hackers Seek $7.5M Ransom

The REvil (Sodinokibi) hacking group has hijacked data files belonging to two large food distributors in a ransomware attack that reportedly exposed sensitive information of at least three megamarket food chains.

Its latest victims are Harvest Food Distributors, a San Diego, California-based operation sporting a national network and its parent company, Detroit, Michigan-headquartered Sherwood Food Distributors. The two companies supply megamarket chains Kroger, Albertsons, Sprouts and others. The attackers have demanded $7.5 million in ransom payments.

Last week, the cyber extortionists published dozens of emails online of what it called President Trump’s “dirty laundry,” that turned out to be a dud seemingly of no consequence. The syndicate has since said it sold a second round of Trump-related emails on the dark web.

The leak of roughly 2,300 files belonging to Sherwood and Harvest contained confidential data of its customers, such as cash flow analysis, sub-distributor information, insurance contracts, invoice amounts and other proprietary vendor information of the distributors and the food chains, including scanned drivers’ license images for drivers in its distribution networks, a DarkOwl blog post that showed some of the heisted data said. DarkOwl’s platform provides tools to search the darknet to help its customers fortify their cybersecurity profile.

Based on a note addressed to Sherwood and Harvest that the cyber kidnappers posted online on May 15, it appears that Sherwood’s board has been aware of the attack since May 3. The distributor apparently has been working with Coveware, a third-party ransomware mitigation outfit that negotiates with cyber goodfellas, DarkOwl said.

“You have had a lot of time that you have unfortunately abused with huge losses,” the mob’s note said. “In addition you made a big mistake by contacting a company that misinformed you about negotiation experience. We will publish part of the dialogues and the condition of the deal as edification to those who want to take the same path...Thanks to the actions of , our policy will be even tougher and more ruthless.” The hackers’ notice contained a link to download a portion of Sherwood's proprietary files, with a threat to release the full folder one at a time in eight segments and another to double the ransom demand.

Earlier this year, the crew used Sodinokibi to infect thousands of clients via managed security service providers (MSSPs). Late last year, it gained notoriety with an attack that cost the British foreign currency exchange firm Travelex $2.3 billion in ransom payment that the company ultimately paid. “Several mentions” have been made of the ransomware gang on English and Russian-speaking darknet forums and marketplaces, DarkOwl said. The hackers are said to have authored the GandCrab ransomware-as-a-service.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.