RIO DE JANEIRO, BRAZIL – As reported two days ago, Grupo Fleury’s systems remained offline Wednesday. The healthcare company fell victim to a ransomware attack the afternoon of the previous day, in which malicious code blocked access to systems or encrypts the victim’s data.
Grupo Fleury is a Brazilian healthcare company founded in 1926, whose main activity is providing medical services and diagnostic medicine. With about 60 million exams performed in 2016, it is the second-largest company in the area in Brazil, behind DASA.
Technology website Bleeping Computer says all indications are that the company is the latest victim of REvil (or Sodinokibi), a group that has already attacked JBS and the State Court of Rio Grande do Sul, to name just the most recent examples.
REvil may have demanded a US$5 million ransom
In previous reports, Fleury Group did not confirm that it was affected by ransomware.
However, Bleeping Computer says that it has learned from multiple sources specializing in digital security that the company was a victim of ransomware created by the group REvil.
With rare exceptions, the goal of ransomware actions is to extort the victim financial. This is no different here. Bleeping Computer published a screenshot related to the Fleury attack, showing that REvil allegedly demanded a ransom payment of US$5 million to decrypt the affected systems and not expose corporate data.
The risk of a data leak is a sensitive issue for any company affected by ransomware. In Fleury’s case, this is compounded by the fact that confidential patient data could end up in the hands of third parties.
So far, there is no information about negotiations between Fleury Group and the attackers. In the statement released Wednesday, the company says only that the database is intact and security specialists are working to fix the problem.
REvil operates with subsidiaries
REvil (Ransomware Evil; also known as Sodinokibi) is a private ransomware-as-a-service (RaaS) operation and one of the most active ransomware groups at the moment. Allegedly originating from Russia, the group has been active since at least 2019 and uses an operating model known as “ransomware as a service.”
This means that the group recruits “partners” to carry out attacks with its ransomware and, if successful, keeps a percentage of the ransom received. This approach makes it more difficult to identify those responsible for attacks and increases the malware’s reach.
Several organizations have already fallen victim to the REvil. In April, the group gained notoriety for threatening Apple. In Brazil, one target was the Rio Grande do Sul Court of Appeals.
Another recent example was JBS, which paid a ransom of US$11 million to prevent a data leak.
Attacks in 2021
March
On 27 March 2021, REvil attacked Harris Federation and published multiple financial documents of the federation on its blog. As a result, the IT systems of the federation were shut down for some weeks, affecting up to 37,000 students.
On 18 March 2021, a REvil affiliate claimed on their data leak site that they had downloaded data from multinational hardware and electronics corporation Acer, as well as installing ransomware, which has been linked to the 2021 Microsoft Exchange Server data breach by cybersecurity firm Advanced Intel, which found first signs of Acer servers being targeted from 5 March 2021.
A US$50 million ransom was demanded to decrypt the undisclosed number of systems and for the downloaded files to be deleted, increasing to US$100 million if not paid by 28 March 2021.
April
In April 2021, REvil stole plans for upcoming Apple products from Quanta Computer which is said to include plans for a pair of Apple laptops, a new Apple Watch and a new Lenovo ThinkPad. REvil threatened to release the plans publicly unless they receive US$50 million.
May
On 30 May, JBS S.A. was attacked by ransomware. A few days later, the White House announced that REvil may be responsible for the JBS S.A. cyberattack. The FBI confirmed the connection on a follow-up statement on Twitter.
JBS paid an US$11 million ransom in Bitcoin to REvil behind an attack that forced the shutdown last week of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants.