Ransomware group threatens to 'auction' confidential Lion files if $1.25m ransom not paid

Wednesday, 17 June 2020

Lion says it still has some way to go to resume normal operations.

The extortionists who hacked trans-Tasman brewer Lion have threatened to 'auction' all its financial information, clients' personal information and other 'important confidential documents' on the internet unless it pays a US$800,000 (NZ$1.25m) ransom.

Stuff is aware of evidence of a ransomware demand being made via 'dark web' service Tor by extortionist group REVil that instructed Lion to make payment using a cryptocurrency currency called Manero.

A post from the hackers on Thursday morning, New Zealand time, provided evidence they had copies of files including information on Lion's grocery reporting, claims database and service level agreements.

Lion has been approached for comment.

The demand came as calls grew for the Government to attempt to break the 'vicious cycle' of ransomware by making it illegal to pay or facilitate the payment of such ransoms.

* WannaCry ransomware victims told not to pay up by Cert NZ

* No rules on agencies paying-off ransomware attackers**

Fisher & Paykel Appliances has been another ransomware victim.

Lion said on Tuesday that it had made good progress bringing its systems back online safely.

'However, there is still some way to go before we can resume our normal manufacturing operations and customer service,' it said.

Lion is one of several of big businesses that have fallen victim to ransomware attacks in recent weeks.

Auckland-based whiteware manufacturer Fisher & Paykel Appliances has had its manufacturing and distribution systems disrupted after being compromised by a separate group of hackers, called Nefilim.

Security expert Brett Callow of New Zealand-based IT security firm Emisoft said REVil was notorious for demanding very large ransoms.

In May, REvil reportedly demanded a US$42m ransom from a New York law firm, threatening to release sensitive files on the company's celebrity clients who include Lady Gaga.

Group behind Lion attack is also believed to have threatened to leak law firm's records on Lady Gaga.

Callow backed calls for the Government to make it illegal to pay, or facilitate the payment of, ransomware demands.

'The only way to stop ransomware attacks is to make them unprofitable and that means companies must stop paying ransoms,' he said.

'The alternative is that the groups become ever-better resorted and have more money to invest to ramp up their operations and sophistication and that means more victims and ransoms paid – it's a vicious circle.'

He believed making it illegal to pay or assist in the payment of ransoms would help.

'In lots of countries, including the US, the payment of 'human' ransoms is illegal but there is no restriction at all on the payment of 'data ransoms'.'

Ransomware extortionists were 'literally making billions' and operating with almost complete impunity, he said.

'The conviction rate for cyber-crime is only about 0.05 per cent.'

Faafoi has been contacted for comment.

The Government is currently advising ransomware victims to visit the website of cyber-security agency Cert NZ for advice.

PWC cybercrime partner Adrian van Hest, who sits on the advisory board of Cert NZ, said he had not given the legality of paying ransoms much thought.

Paying ransoms could sometimes be the most cost-effective outcome for victims, even though the reality was that they could not then trust their IT systems again, he said.

He was not sure if banning ransomware payments would do harm, but said the idea it would 'stop anything' seem simplified.

'I don't think it is the only step, and I don't think it is necessarily the most effective step.

'If organisations spent as much on prevention as they would do on potentially paying a ransom, they would be in a much better position,' he said.

But placing more liabilities on 'unregulated financial transaction providers' that were used by extortionists to facilitate ransoms could be of benefit, he said.

The current spate of ransomware attacks was something new, van Hest said.

'I have not seen organisations in Australia and New Zealand be specifically targeted to the extent they have been.'

Lion and Fisher & Paykel Appliances had been specifically targeted, he said.