Brown-Forman: US liquor giant hit by ransomware – what the rest of us can do to help

Brown-Forman Hit by REvil Ransomware Attack: A Multi-Stage Extortion Scheme Unfolds

Brown-Forman, the Kentucky-based liquor conglomerate behind global brands like Jack Daniel’s and Finlandia vodka, has fallen victim to a sophisticated ransomware attack orchestrated by the REvil (Sodinokibi) cybercriminal gang. According to reports from Bloomberg, which received an anonymous tip from the attackers, the incident follows REvil’s signature three-stage extortion playbook reconnaissance, data theft, and encryption with a modern twist: double-barrelled blackmail.

The Attack: How It Unfolded

1. Reconnaissance & Network Infiltration
   The attackers first breached Brown-Forman’s network, escalating privileges to sysadmin-level access. They mapped the infrastructure, identified backup locations, and disabled security controls to maximize their reach. Trial malware deployments may have been used to test defenses before the full assault.

2. Data Exfiltration (1TB Stolen)
   Before encrypting files, the gang stole an alleged 1 terabyte of corporate data, spanning over a decade. Bloomberg was provided with links to a dark web portal where sample files were listed as "proof" of the breach. This tactic stealing data before encryption has become a hallmark of modern ransomware, enabling attackers to threaten public leaks if demands aren’t met.

3. Encryption (Prevented in This Case)
   Typically, REvil would then deploy ransomware to encrypt files across the network. However, Brown-Forman appears to have halted this stage, avoiding the operational disruption seen in other high-profile attacks (e.g., Garmin’s days-long outage). The company has reportedly refused to pay the ransom, a stance that disrupts the extortion cycle but leaves the stolen data at risk of exposure.

The Evolution of Ransomware: From CryptoLocker to Double Extortion

The attack reflects broader shifts in ransomware tactics:

• Early Ransomware (2013–2016): Groups like CryptoLocker targeted individual users, demanding $300 per infected device. Later, gangs like SamSam pivoted to network-wide attacks, offering "bulk decryption" for tens of thousands of dollars.
• Modern Extortion (2019–Present): REvil and others now steal data first, then encrypt, creating a dual threat: pay for decryption and to prevent a data leak. Recent victims, including Garmin and CWT, have paid millions Garmin reportedly negotiated a $10M demand down to an undisclosed sum, while CWT paid $4.5M for 30,000 encrypted devices.

Regulatory and Ethical Implications

Under most data protection laws, all ransomware attacks are breaches even if files are only encrypted. However, the pre-encryption data theft amplifies the stakes. Companies face:

• Regulatory scrutiny for failing to protect data.
• Reputational damage if stolen data is leaked (e.g., internal documents, customer records).
• No guarantee that paying will prevent leaks attackers may sell or re-extort the data.

Brown-Forman’s refusal to pay aligns with the approach of other victims, like law firm Grubman Shire Meiselas & Sacks, which rejected REvil’s threats to auction celebrity data. While the stolen data remains unpublicized, the incident underscores the growing audacity of ransomware gangs and the challenges of deterring them.

Key Takeaways

• Target: Brown-Forman (Jack Daniel’s, Finlandia vodka).
• Attackers: REvil (Sodinokibi) gang.
• Method: Three-stage extortion (reconnaissance, data theft, encryption).
• Data Stolen: 1TB, including files dating back over 10 years.
• Outcome: Encryption stage blocked; company refused ransom demands.
• Broader Trend: Ransomware gangs increasingly use data theft as leverage, with demands now reaching millions per attack.

The incident highlights the escalating financial and operational risks of ransomware, as well as the difficult choices victims face in responding to extortion.

Source: https://www.sophos.com/en-us/blog/us-liquor-giant-hit-by-ransomware-what-the-rest-of-us-can-do-to-help

Brown-Forman cybersecurity rating report: https://www.rankiteo.com/company/brown-forman

"id": "BRO1772396670",
"linkid": "brown-forman",
"type": "Ransomware",
"date": "8/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Beverage (Alcoholic)',
                        'location': 'Kentucky, USA',
                        'name': 'Brown-Forman',
                        'type': 'Corporation'}],
 'attack_vector': 'Network infiltration, privilege escalation',
 'data_breach': {'data_encryption': 'Attempted but prevented',
                 'data_exfiltration': '1TB stolen before encryption',
                 'sensitivity_of_data': 'High (spanning over a decade)',
                 'type_of_data_compromised': 'Corporate data (internal '
                                             'documents, potentially customer '
                                             'records)'},
 'description': 'Brown-Forman, the Kentucky-based liquor conglomerate behind '
                'global brands like Jack Daniel’s and Finlandia vodka, fell '
                'victim to a sophisticated ransomware attack orchestrated by '
                'the REvil (Sodinokibi) cybercriminal gang. The attack '
                'involved reconnaissance, data theft (1TB), and attempted '
                'encryption, following REvil’s three-stage extortion playbook. '
                'The company prevented the encryption stage and refused to pay '
                'the ransom.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage if '
                                       'stolen data is leaked',
            'data_compromised': '1TB of corporate data',
            'legal_liabilities': 'Regulatory scrutiny under data protection '
                                 'laws',
            'operational_impact': 'Prevented encryption stage, avoiding '
                                  'operational disruption'},
 'lessons_learned': 'Ransomware attacks increasingly involve data theft as '
                    'leverage, creating dual extortion threats. Refusing to '
                    'pay ransom disrupts the extortion cycle but leaves stolen '
                    'data at risk of exposure.',
 'motivation': 'Financial gain (extortion), data theft for leverage',
 'post_incident_analysis': {'root_causes': 'Network infiltration, privilege '
                                           'escalation, disabled security '
                                           'controls'},
 'ransomware': {'data_encryption': 'Attempted but prevented',
                'data_exfiltration': 'Yes (1TB stolen)',
                'ransom_paid': 'No',
                'ransomware_strain': 'REvil (Sodinokibi)'},
 'recommendations': 'Enhance network security controls, implement robust '
                    'backup strategies, prepare for regulatory scrutiny, and '
                    'develop incident response plans for ransomware attacks.',
 'references': [{'source': 'Bloomberg'}],
 'regulatory_compliance': {'regulations_violated': 'Potential violations of '
                                                   'data protection laws '
                                                   '(e.g., GDPR, CCPA)'},
 'response': {'containment_measures': 'Halted encryption stage'},
 'threat_actor': 'REvil (Sodinokibi)',
 'title': 'Brown-Forman Hit by REvil Ransomware Attack: A Multi-Stage '
          'Extortion Scheme Unfolds',
 'type': 'Ransomware'}