- Author|Safe Cow
- Release time|2021-01-28
Dairy Farm Group, a large pan-Asian retail chain operator, was attacked by REvil ransomware this month and was ransomed with a ransom of up to 30 million U.S. dollars.
Dairy Farm has more than 10,000 outlets and 230,000 employees in Asia. In 2019, Dairy Farm's annual sales exceeded US$27 billion.
Dairy Farm operates numerous grocery stores, convenience stores, health and beauty, home and restaurant brands in the Asian market. Its brands and stores include 7-11 convenience store, Wellcome, Giant, Cold Storage, Hero Rose Pharmacy , GNC, Mannings, IKEA, Maximus, etc. Dairy Group is also the largest shareholder of Yonghui Supermarket.
According to a report by BleepingComputer, the REvil ransomware group had invaded the Milk Group's network and encryption equipment on or about January 14, 2021, and the ransom demand was as high as 30 million U.S. dollars. The amount has not been confirmed.
In order to prove that they can access the Milk Group's internal network, the attackers shared Active Directory users and computer screen shots.
The attackers claimed that they could still access the Dairy Farm’s internal network 7 days after the attack, including complete control over Dairy Farm’s e-mails, and they stated that they would use these e-mails for phishing attacks.
The attacker told BleepingComputer: "They (Milk Group) cannot shut down the network because doing so will disrupt business. A group of attackers are still attacking the company, and there are more than 30,000 hosts."
Dairy Farm confirmed to BleepingComputer that they had suffered a cyber attack this month, but said that less than 2% of the company's equipment was affected.
“At Dairy Farm, protecting our systems is a top priority. On Thursday, we discovered the attack, which only affected less than 2% of the business servers, which were all taken offline and quarantined. As an additional precaution, we launched Comprehensive protection measures. With the support of external security experts, a thorough investigation has been conducted, more security measures have been taken, and our surveillance system has been further strengthened."
"All our stores are open to provide services to customers, and only close when the national or local government establishes COVID-19 restrictions." Dairy Farm told BleepingComputer via email.
But in a subsequent phone conversation with Dairy Farm, BleepingComputer informed the company that the threat actors claimed to still be able to access and were allegedly still downloading data from the Internet.
From the screenshot of the email leaked by the attacker, it can be seen that the attacker was still able to access the internal network and encrypt terminal data when the Milk Group technical team mitigated the attack:
Since the Christmas holiday last year, large-scale attacks by ransomware groups seem to have come to an end, but unfortunately in late January, attacks on large enterprises have increased again, including Dairy Farm and previous continuous global networks against crane manufacturer Palfinger attack.
[This article is the original article of the 51CTO columnist "Safety Cow". For reprinting, please obtain authorization through Safety Cow (WeChat public account id: gooann-sectv)]
