REvil claims ransomware attack on multi-billion dollar manufacturing giant Midea Group
REvil, the notorious ransomware gang with Russian origins has resurfaced after vanishing online early last year. The gang, also known as Sodinikibi, is claiming to have infiltrated a popular Chinese electronic appliance manufacturer and has published what is believed to be stolen data. Midea Group is yet to officially acknowledge the attack.
Midea Group is a multi-billion dollar company with 200 subsidiaries and over 60 oversea branches. With an average annual revenue of over $53.3 billion, the company is part of the Fortune Global 500 list currently occupying position 245. The manufacturing giant currently employs over 150,000 people globally and boasts of partnerships with multiple global organisations including Manchester City football club.
If indeed the attack is true, this will be the first successful ransomware attack on the organisation.
REvil is claiming to have in its possession different types of sensitive company information including data from Midea Group’s product lifecycle management (PLM) system. The PLM system holds firmware blueprints and financial information that REvil indicated that it’s ready to sell in its announcement post.
The ransomware group also claims to possess a lot of source code and data from Git and SVN version control systems which it will soon make public.
This mode of attack otherwise referred to as double extortion aligns with the gang’s known operation method. How it works is that the attackers make a copy of the data before encrypting it. This way, if the company does not pay the ransom, they start releasing the data to the public or uses it to carry out further attacks. This gives the hackers additional leverage to collect the ransom and additional ways to profit from the data by selling it to other threat actors.
The data that the gang has already exposed include scans of physical and digital identity documents, alleged screenshots of inside the Midea Group’s VMware vSphere client, several compressed 7zip archives, and an SSH key.
At the time of publishing this, there are no indications that the company has been hacked. Their websites are still as responsive as ever and their social media pages are still active.
The re-emergence of REvil will come as bad news to law enforcement who would have hoped that they had closed the group’s operations after a coordinated crackdown on the group led to 7 arrests in 2021.