Ragnar Locker Ransomware Infection at Campari Group

[German]The Italian spirits producer Campari Group has fallen victim to a Ragnar Locker ransomware infection. Some systems of the Campari Group had to be restored after the files were encrypted.


ZDnet.com and Bleeping Computer reported this already on Thursday in this and this article. The cyber criminals demanded 15 million US dollars ransom, but the Campari Group did not respond to the blackmail.

Ragnar Locker Ransomware-Infektion bei Campari

The attack must have taken place around November 1, 2020, on the IT systems of the Italian beverage company Campari. On Friday, November 5, 2020, Campari confirmed that data on some of the company's servers had been encrypted and some information had been lost. This was revealed by checks carried out after a cyber attack. Here is the Italian statement (Source):

Campari Group informa che, presumibilmente il giorno 1° novembre 2020, è stato oggetto di un attacco malware (virus informatico), che è stato prontamente identificato. Il dipartimento IT del Gruppo, con il supporto di esperti di sicurezza informatica, ha immediatamente intrapreso azioni volte a limitare la diffusione del malware nei dati e sistemi. Pertanto, la società ha attuato una temporanea sospensione dei servizi IT, in quanto alcuni sistemi sono stati isolati al fine di consentirne la sanificazione e il progressivo riavvio in condizioni di sicurezza per un tempestivo ripristino dell'ordinaria operatività. Contestualmente è stata avviata un'indagine sull'attacco, che è tutt'ora in corso. Si ritiene che dalla temporanea sospensione dei sistemi IT non possa derivare alcun significativo impatto sui risultati del Gruppo. Nel frattempo, Campari Group ha prontamente avviato una piena collaborazione con le autorità competenti.

The Campari Group informs in the statement above, that, presumably on November 1, 2020, it was subject to a malware attack (computer virus), which was promptly identified. The IT department of the Group, with the support of IT security experts, immediately took action to limit the spread of malware in data and systems. Therefore, the company implemented a temporary suspension of IT services, as some systems were isolated in order to allow their sanitization and progressive restart in safe conditions for a timely return to normal operations.

At the same time, an investigation into the attack was launched, which is still ongoing. It is believed that the temporary suspension of IT systems cannot have any significant impact on the Group's results. In the meantime, Campari Group has promptly initiated full cooperation with the competent authorities. ZDnet and Bleeping Computer write that the Ragnar Locker gang demanded a $15 million ransom. This also emerges from published screenshots. But no ransom was paid and the Campari group is trying to clean up the systems this way.


Threadpost has further details in this article. Malware researcher Pancak3 shared a copy of the ransom note with Threatpost, that says:

We have BREACHED your security perimeter and get [sic] access to every server of the company's network in different countries across all your international offices.

Threadpost writes, that the note goes on to detail the types of data compromised, including accounting files, bank statements, employee personal information and more. The note said the scammers were able to steal a total of 2TB of data.The cyber criminals wrote:

If no offer is made than [sic] all your info with be posted and/or offered through an auction to any 3rd get-togethers.

ZDNet wrote, that compromised documents posted on a leak site of the group provided a contract involving Wild Turkey and actor Matthew McConaughey.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published.