US hard liquor giant Brown-Forman is the latest high-profile victim of ransomware criminals.
Even if the company’s name doesn’t ring a bell, some of its products are well-known to spirits drinkers world-wide: Brown-Forman is a multi-billion dollar business that owns Jack Daniel’s whiskey, Finlandia vodka and other global brands.
It’s a multi-billion dollar business, headquartered in Louisville, Kentucky – a US state that’s famous for American whiskey – and you can see why today’s big-money ransomware crooks might go after a company of that size and sort.
According to business media site Bloomberg, which claims to have received an anonymous tip-off from the crooks behind the attacks, the ransomware crooks involved are the infamous REvil or Sodinokibi gang.
The REVil crew make up one of what you might call a “new wave” of ransomware operators who practise three-stage attacks that end in double-barrelled blackmail:
- First, they break into a victim’s network and scope it out. During this reconnaissance the crooks will typically work their way up to sysadmin level access, map out all the clients and servers on the network, search out where online backups are kept, locate or introduce powerful system administration tools they can use later to assist in the attack, and reconfigure (or turn off) system security settings to give them the broadest reach possible. Sometimes, they’ll even launch mini-attacks with trial samples of malware as a way to probe your defences and to find which attack techniques are most likely to succeed.
- Second, they exfiltrate – which is a fancy word for steal – as much corporate data as they can get their hands on. In the Brown-Forman attack, in which the attackers claimed to have purloined 1 terabyte of data as part of the attack, Bloomberg says that it received links to a website where the crooks revealed “proof” of the data breach by listing sample files going back more than 10 years.
- Third, they encrypt as many files on the network as possible, using a scrambling algorithm for which they alone have the key. The crooks typically copy the malware program across the network first, so that when they kick off the encryption process, it runs in parallel on all your devices, thus bringing maximum disruption in minimum time.
How these stages evolved
As you probably know, the first two stages above are fairly recent developments in ransomware criminality.
Back in 2013, when the infamous CryptoLocker gang were the kings of the ransomware scene, it was all about stage 3: scrambling files and then using the decryption key as a blackmail tool: “Send us $300 or your files are gone forever”.
The crooks generally didn’t target networks back then; instead, they went after millions of victims in parallel, with each infected computer ransomed independently.
The criminals “targeted” everyone – from home users who probably didn’t have backups of any sort and might be willing to spend $300 to get their wedding photos or the videos of their children back – to big companies where 100 users might fall for the latest ransomware spam campaign and the business would need to spend 100 × $300 to get the unique decryption key for each now-useless computer.
Stage 1 arrived on the ransomware scene when criminals realised that by going after entire networks one-at-a-time, they could cut their “losses” early in the case of a network that they didn’t have much success with, and focus on networks where they could cause disruption that was both sudden and total.
Instead of pursuing thousands of individual computer users for hundreds of dollars each, the crooks could blackmail a single company at a time for tens of thousands of dollars a time.
Indeed, the early adopters of the “all-at-once” ransomware approach often took the cynical approach of offering two prices: a per-PC decryption fee, and an “all you can eat” buffet price for a master key that would unscramble as many computers as you wanted – almost as if the crooks were doing you a favour.
The crooks behind the SamSam malware – four Iranians have been identified and formally charged by the US, but are unlikely ever to stand trial – even offered a staged payment “service” whereby you could pay half the ransom to receive half of the decryption keys (chosen randomly by the criminals).
If you were lucky, you might just end up with enough computers running again to save your business for just 50% of the usual price…
…but if not, you could pay the rest of the ransom, presumably now with considerable confidence that the crooks would deliver the decryption tools as promised.
You could even take a chance on paying the per-PC fee for your most critical computers – typically $8000 a time – to tide you over, and “top up” later, once you were “confident” in the criminals, to the master-key price, which was typically set by the SamSam crooks just below $50,000.
Whether they chose $50,000 at a guess, or because they found it represented a common accounting department limit in the US below which it was much easier for the IT manager to get the payment approved, we never found out.
As you can imagine, the exposure of the alleged perpetrators by US law enforcement pretty much drove the SamSam crooks out of business, albeit not before they had extorted millions of dollars from victims around the world, but ultimately didn’t make much of a dent in ransomware attacks in general.
Sadly, the SamSam gang’s fee of $50,000 a network turns out to be small by current standards.
A recent ransomware attack that took US GPS and fitness tracker giant Garmin offline for several days was apparently “resolved” when the company coughed up a multi-million dollar payment, supposedly negotiated downwards from $10,000,000.
That incident attracted controversy because the ransomware involved was alleged to have been the work of a Russian cybercrime outfit known as Evil Corp, and transactions with that group are prohibited by US sanctions imposed in December 2019.
And US travel company CWT is said to have coughed up $4,500,000 recently – again, down from an opening demand of an alleged $10 million for unscrambling what the crooks claimed were 30,000 ransomed computers.
If true, $10,000,000 for 30,000 devices comes out at $333 each, a fascinating full-circle back to the $300 price point of the 2013 CryptoLocker ransomware, which was itself an intriguing echo of the first ever ransomware attack, way back in 1989, where the criminal behind the malware demanded $378. (With no prepaid credit cards, online gift cards or cryptocurrencies to use as a vehicle for pseudoanonymous payments, this early attempt at ransomware, known as the AIDS Information Trojan, was a financial failure. Indeed, it wasn’t until the early 2010s that cyberextortion based on locking up computers or files worked out at all for the cyberunderworld.)
The biggest tactical change
But the biggest tactical change in ransomware is stage 2 above.
By perpetrating data breaches up front, before unleashing the file scrambling component – in Brown-Forman’s case, the breach allegedly includes 1 terabyte; in CWT’s attack, the criminals claimed that 2 terabytes were thieved up front – the crooks now have a double-barrelled weapon of criminal demand.
You’re no longer being extorted to pay for the crooks to do something, namely to send you a set of decryption keys, but also being blackmailed into bribing the crooks not to do something, namely not to go public with your data.
Early ransomware had more in common with kidnapping, though with jobs at stake rather than the victim’s life: the theory was that if you paid up and the crooks released a working decryption tool, you not only got your data back but also quite clearly ended the power that the criminals had over you.
For the crooks to ransom your data again (sadly, this happens), they’d need to break into your network again and essentially start from scratch, assuming that you worked out how they got in before and closed the holes they used last time.
But today’s ransomware is turning into old-school, out-and-out blackmail: the crooks promise to delete the data they already stole, and thereby to “prevent” your ransomware incident turning into a publicly visible data breach, but you have no way of knowing whether they will keep their promise.
Worse still, you have no way of knowing whether the crooks can keep their promise, even if they intend to.
For all you know, the data they took illegally could already have been stolen from them – remember that many of the cybercrime busts written about on Naked Security, including ransomware arrests, happened because of cybersecurity blunders made by the perpetrators that allowed their evil secrets to be probed, uncovered and ultimately proved in a court of law.
Or the criminals themselves may have been victims of “insider crime”, where one of their own decided to go rogue – after all, we’ve also written about crooks getting busted not through operational blunders but through a falling-out among thieves, where one of the gang has ratted out the others or otherwise co-operated with the authorities to save themselves
What does this new-look ransomware mean?
Technically, or at least from a regulatory point of view, all ransomware attacks are data breaches, even if all they do is scramble your files in place.
After all, if an outsider is able to modify files they weren’t supposed to access at all, that clearly amounts both to unauthorised access (a crime in most jurisdictions) and to unauthorised modification (a yet more serious crime) – and even though this makes you a victim of crime, it also means you’ve failed in at least some way at protecting information you were supposed to protect.
And ransomware crooks who steal your data before scrambling it are really in the pound seats when it comes to blackmail.
Even if you prevent the final stage of the attack, or if you have reliable backups so you don’t need the decryption keys, the crooks are going to squeeze you anyway, by threatening to make a bad thing much worse by deliberately releasing the stolen data.
The good news, in the case of the Brown-Forman attack, is that current reports suggest two important things:
- Brown-Forman prevented the file scrambling part (stage 3) of the attack. That’s great news, because it means that the company is unlikely to go offline like Garmin had to, which reduces the impact on the people that do business with the company, including suppliers, creditors, partners, distributors, retailers, and more.
- Brown-Forman has supposedly told the criminals to stick their blackmail demands where the sun doesn’t shine. Paying up simply encourages – indeed, it helps to fund – the next attack.
All we can say to that is, “Well done, and thanks for standing firm.”
Grubman Shire Meiselas & Sacks, a law firm that represents numerous high-profile celebrities, recently faced a demand similar to Brown Forman’s, where the ransomware criminals menaced company founder Allen Grubman in broken English with threats to auction off celebrity data in the cyberunderworld:
We have so many value files, and the lucky ones who buy these data will be satisfied for a very long time. Show business is not concerts and love of fans only — also it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery. […] Mr. Grubman, you have a chance to stop that, and you know what to do.
The company famously likened the blackmailers to terrorists and refused to pay up. (The threatened auctions haven’t yet happened – though no one knows whether that’s because the crooks felt they couldn’t trust their own or because the data stolen simply wasn’t up to what the crooks claimed.)
To reward companies that are willing to say, “We won’t pay,” and who help to break the feedback that keeps the ransomware cycle turning, we suggest that you repay them by making sure that if their data does get dumped by crooks…
…that you simply do not look at it.
No matter how useful it might seem; no matter what items that you feel are now both “in the public domain” and in the public interest; no matter how much you might argue that companies like Brown-Forman were themselves remiss in the first place for not protecting data that they ought to have; even if you’re “just interested”, please don’t look.
We urge you, “Just say no.”
Brown-Forman’s breach is now a matter of public record and we assume it will be carefully investigated by law enforcement and the relevant regulators, so let’s leave them to it.
As Sophos Cybersecurity Educator Sally Adam put it:
There is no ‘end justifies the means’ discussion to be had here because this is nothing like the cases of whistleblowers like Edward Snowden or Chelsea Manning, where – no matter what you think of their ultimate actions – an insider identified something they perceived to be wrong. This is purely about extortion.”
What to do?
Clearly, prevention is way better than cure.
It’s important to have protection in place to stop stage 3 above (after all, not all ransomware attacks do follow this three-step process, and one-off scrambling attacks are still an ever present risk.)
We’ve got plenty of advice on how to do just that, including our popular report:
But the earlier you block or spot the crooks, the better for everyone, including yourself.
So we recommend you review the following handy resources too, to keep ransomware crooks out right from the very start:
- The realities of ransomware: Five signs you’re about to be attacked
- The realities of ransomware: Extortion goes social in 2020
- The realities of ransomware: A victim’s-eye view of an attack
12 comments on “US liquor giant hit by ransomware – what the rest of us can do to help”
When I saw the title image and “what the rest of us can do to help,” my first thought was sales after a ransomware payment.
(let’s pretend I didn’t cynically muse to myself about a billion-dollar corporation, hurting after a relatively insignificant loss)
I expected to respond like
Duck, I’m a tequila guy–Jack Daniels has never been my thing.
However after a Wikipedia detour longer that reading this article and writing this comment combined, I could probably try some of that Herradura.
I read your line as, “they’re not planning to pay up and thereby encourage … the next attack.” Sure our defense stopped you (a little bit), but try harder next time.
Also, “We urge you, ‘Just say no.'” The people who read this article aren’t the same people who would do nefarious acts with this data. Every one of us probably has access to all company secrets, yet we’re trusted to keep our eyes shut. I’ll support Brown-Forman by purchasing JD and Herradura 😉
To your first point: you’re right, my wording was ambiguous (having the word “not” in there really didn’t help). I have therefore changed it to be much simpler: “Paying up simply encourages – indeed, it helps to fund – the next attack.” Thanks for that.
Second point: I hear what you are saying, but I think it still makes a clear point if we all go out of our way *not* to look at public data – even though we might be acting quite legally – that became public as a side-effect of blackmail. (This “not looking” IMO includes spurning articles and PR campaigns that did take a peek, did find something interesting, and did decide to dine out on it.)
Third point: well, that’s one way. Two ways if you treat whiskey and tequila as separate types of support.
Try them both too close consecutively, and I myself will require two separate means of support.
Cheers to them for not paying the criminals!
Im still surprised that these large companies get breached, with the resource they have available to them, surely their IT department has put in place necessary security measures. I saw on article, referring to the use of [REDACTED] to protect them in the future, i nearly spit my coffee out but my coffee is worth more than [REDACTED] so i therefor did not. But there are a slew of basic protection methods to prevent this kind of thing, #1 is personalized end-user training. I have been in the IT field now for 18 years, and nothing helps to get your endusers comprehension than you telling them and showing face-to-face (or Zoom to Zoom these days) “Hey, if you open that attachment and we get hacked…your junk goes on the Interwebs too!” Works miracles. That, plus menacing alerts from Sophos Intercept X, SG UTM Web Blocks and Application Controls that tell them everytime…you, sir are a danger to yourself and this network! Either way, cheers to bourbon folks saying no to ransoms.
Err…did my comment get deleted? What did i say wrong?
Comments here are moderated (if you have ever run a blog you will know how much spam you get in the guise of “nice” comments). You can see your own comments right away but if you revisit the page later (depending on what has happened with various cookies in the meantime) your comment might not appear if it is still in the queue. We’re a small team inside Sophos so the moderations sometimes take a few hours…
Congratulations to Brown-Forman for doing the right thing, many companies have not which is why this crisis continues to escalate.
We as a people (meaning our government) is completely lacking in their response to this. There are significant things that could be done to combat this crisis which costs our country tens of billions of dollars a year and ruins lives.
First, is to treat the blackmail data for what it truly is, stolen property. There are already laws at both the federal and state levels against the receipt and possession of stolen property with penalties ranging from restitution, to fines, to prison. Going further, existing laws should be strengthened in this regard due to the incredibly value and damage the release/possession of this data can cause. Regardless of if the stolen information is political dirt, unreleased movies, financial data, or whatever… if a competitor, journalist or anyone else seeks out that information, is found to have it, and/or makes use of it they should face prison time. In no case, unless it is protected under a legal whistle-blower law, should the content of what was stolen justify the theft, possession, or use of this data. Stolen data should be treated similarly to underage pornography, with the same social stigma and penalties.
Second, there should be laws against supporting the criminal organizations behind these attacks. Meaning, companies who do business in the US should be barred from paying ransoms. If strongly enforced this would bring far more benefit (by reducing attacks) than it would cause from companies having to deal with the effects of attacks. These payments fund organized crime organizations, terrorist organizations, and in some cases hostile foreign governments and only serve to encourage growth of the crisis. Every company who pays a ransom is committing a crime against future victims. They should be criminally and financially punished if found to have done that.
Third, insurance companies should be banned from offering policies that reimburse companies for ransom payments. Insurers should still be allowed to help companies from the aftermath of the attack in other ways but absolutely no money from insurance companies should be allowed to support this criminal feedback loop. Currently insurance companies are increasingly advising clients to pay the ransoms. It is a feedback loop where the more insurance money goes to criminals the more criminals will go after insurance money. And, lest you think the insurance companies are helping in any way, they are just financial institutions that take in money, dole it out and keep a cut. In a very real sense, the more ransoms the insurance industry generates (by rewarding criminals) & pays the more money the insurance industry makes.
We all pay a collective price for allowing this crime industry to continue and grow. It can and should be stopped. As much as companies like Brown-Forman should be congratulated and respected for doing the right thing, without strong government leadership to reduce these activities, enough organizations will do the wrong thing to keep the crisis growing exponentially.
Sound superficially good; but not necessary good to execute or enforce. And “victim” lost freedom to choose options. Just think that, if it was not a “company” but a “person”, then 3 options, (1) not to pay the ransom; (2) pay the ransom; (3) call policy to handle. Which options you’ll choose (or you’ve better option)?
There’re tiny, small, medium, big, mega companies that have their own reason(s) of choosing.
While all Bourbon is Whiskey, not all Whiskey is Bourbon. Jack Daniel’s is a Whiskey but not a Bourbon.
I did not know that. But I do now… it seems that Jack Daniel’s kind of is bourbon, yet it is not Bourbon, and that the act of “not being Bourbon” is both a Fascinating Story and Quite A Big Deal.
Apparently JD’s officially became “not Bourbon” after the Alcohol Tax Unit of the Office of Inland Revenue withdrew its demand that the product be sold as Bourbon after the tax office (who said accountancy was boring?) conducted careful research (which gives a whole new meaning to “double blind” testing!) and concluded that it had “neither the characteristics of bourbon or rye whiskey but rather is a distinctive product which may be labeled whiskey.”
Under normal circumstances, sending a dozen cases of hard liquor to the IRS “for careful consideration” would get you into rather serious trouble… but on this occasion it seemed to be quite the right thing to do, and prompted a very nicely written letter in reply!
I have removed the mention of bourbon from the article. It is now, simply, whiskey.