REvil Hits French Connection, Grupo Fleury
The REvil ransomware gang continues its destructive trek around the globe, routing out and exploiting vulnerabilities at (often) high-profile targets. One of their latest victims is nearly 50-year-old UK clothing retailer French Connection whose in-your-face moniker, FCUK, raised the brand’s visibility in the 2000s.
Exploiting a vulnerability in French Connection’s back-end systems that control company internal systems and operations, the attackers nicked internal data, including staff passport and identification cards, even those belonging to the company’s CEO and founder Stephen Marks, chief operating officer (COO) Neil Williams and chief financial officer (CFO) Lee Williams, according to reporters at The Register, who viewed a sample of the data stolen.
The retailer confirmed the “organized attack” in a statement, saying it had suspended all affected systems. “The company is now actively working to restore its systems as quickly and safely as possible, and where necessary, is using manual overrides in order to ensure that the company can continue to operate,” French Connection said.
The company stressed it had found “no evidence” that customer data had been accessed and compromised.
No word on a ransom demand at this point; but if REvil stays true to form, it delivered a demand for payment along with a threat to sell the retailer’s data on the dark web.
Since its debut in 2019 as a likely offshoot of GandCrab, REvil has quickly become one of the most formidable ransomware adversaries, counting an Apple supplier and a powerful entertainment law firm among its victims. More recently, the ransomware-as-a-service (RaaS) variant has been fingered as the strain behind the debilitating attack on meat processor JBS USA that compelled the shutdown of processing plants across the U.S. The company forked over $11 million in ransom to the attackers.
“The ease with which ransomware can be conducted is also an issue, as ransomware software can easily be purchased on the darknet,” said Rita Gurevich, founder and CEO at Sphere. “The success of the attacks and the ease of use means that ransomware attacks will continue to rise.”
The success of the REvil ransomware has raised its profile and sparked wannabe attackers to incorporate its code in their initiatives. LV ransomware, for instance, observed by researchers from the Secureworks Counter Threat Unit, has the same code structure as REvil. The security firm says that might indicate that the Gold Southfield cybercriminal threat group that operates REvil sold the source code, shared it or that it was stolen.
“The attack on French Connection (FCUK) shows how these ransomware groups will target anyone if they find a way inside their networks. The operators reportedly identified a vulnerability that allowed them access to the network,” said Jamie Hart, cyberthreat intelligence analyst at Digital Shadows. “When it comes down to it, REvil is not biased, and if they can find a way inside a company, they are likely to deploy the ransomware.”
On the heels of the FCUK attack, the criminals hit Grupo Fleury, a Brazilian medical diagnostics company. That assault, which came with a $5 million ransom demand, is a continuation of REvil’s “campaign against Brazil-based organizations,” said Hart.
“In a previous statement made to the Russian-OSINT Telegram channel, a REvil representative stated that they were targeting Brazil for revenge,” she said. “However, it is not known what that revenge is for.”
With ransomware attacks occurring one after the other, Dirk Schrader, global vice president, security research at New Net Technologies, warns organizations to counter ransomware alert fatigue with action. “For organizations, the early steps in the cyber kill chain are a good starting point if they want to protect themselves from ransomware,” he said. “Limit reconnaissance on the infrastructure so that less or no information can be used to weaponize an attack against it, inhibit delivery of malware, reduce the attack surface for exploitation and, lastly, detect any installation; any file dropped on a device being an unwanted change to the system’s status and integrity.”
Companies could gain traction against attacks by altering the psychology of information security for their regular users, Schrader said. “Embed it to the tasks the users are paid to do, not just as an overlay, as a company policy,” he said. “Doing so will likely change the motivation.”
Gurevich said part of the answer lies with IT and security professionals who also should “adapt to their new environment where the skillset they successfully employed a few years ago may not suffice against the sophisticated ransomware attacks of today.”