Brown-Forman, one of the largest U.S. companies in the spirits and wine business, suffered a cyber attack. The intruders allegedly copied 1TB of confidential data; they plan on selling to the highest bidder the most important info and leak the rest.

Headquartered in Louisville, Kentucky, the company holds world-known whiskey and scotch brands like Jack Daniel's, Woodford, Old Forester, Collingwood, Glenglassaugh, and Glendronach; Herradura, El Jimador, and Pepe Lopez tequila; Finlandia vodka, and Sonoma-Cutrer wines.

Documents old and new, backups

Sodinokibi (REvil) ransomware operators announced on Friday that they had compromised Brown-Forman's computer network and spent more than a month examining user services, cloud data storage, and general structure.

Following the incursion, the attackers claim they stole 1TB of data that includes confidential information about employees, company agreements, contracts, financial statements, and internal correspondence.

In a post on their leak site, REvil published multiple screenshots with directory trees, files with names that appear to support their claims, and internal conversations between some employees. The pics show documents dating as far back as 2009.
The actor also published screenshots of database backup entries as recent as July 2020, suggesting that the intruder had plenty of time to roam the network.

Ransomware failed to encrypt devices

The company confirmed the attack for BleepingComputer, adding that there is a strong suspicion that data was stolen from their systems.

"Unfortunately, we believe some information, including employee data, was impacted. We are working closely with law enforcement, as well as world-class third-party data security experts, to mitigate and resolve this situation as soon as possible," the Brown-Forman spokesperson told us.

At this moment, there are no active negotiations with the attacker, the company told BleepingComputer. Leaking and auctioning the files is an attempt from REvil to squeeze Brown-Forman into paying a ransom. In exchange, the actor promises to delete all copies of the data and not use it in the future.

Although the final step in a ransomware attack is to encrypt data, REvil did not get to deploy this routine. Brown-Forman detected the attack and stopped it before data was locked, a company representative told BleepingComputer.

"Brown-Forman was the victim of a cybersecurity attack. Our quick actions upon discovering the attack prevented our systems from being encrypted" - Brown-Forman spokesperson

REvil is now beating the drum about this data trove hoping that they would force a payment or get a higher price in an auction. They say that it contains details about the company's corporate clients and could be useful for investors and competition.

"We still believe in the prudence of BROWN-FORMAN and are waiting for them to continue their discussion of a way out of this situation" - Revil posted.

Brown-Forman, however, does not seem willing to restart discussions with REvil:

"Protecting the privacy and security of personal information is extremely important to us. The Company deeply regrets any inconvenience or concern this may cause. Keeping information secure is a priority for Brown-Forman. We know this news comes at an already challenging time and may be disconcerting given the uncertainty of the situation."

source: https://www.bleepingcomputer.com