Ragnar Locker Ransomware takes down Campari IT systems

It appears the Italian company has refused to pay group’s ransom demand

Ransomware attackers that seized 2TB of unencrypted files from Campari Group are demanding $15 million from the Italian alcohol giant to retrieve them.

It is understood Campari was struck with Ragnar Locker, a sophisticated and relatively new form of ransomware first observed in 2019 affecting Microsoft Windows machines and associated with a hacking group of the same name. Security vendor Sophos has previously detected Ragnar Locker deployed inside a virtual machine to hide it from view.

Campari released a press statement on Monday confirming reports from IT publication ZDNet that a cyber attack had forced the company to shut down its IT services and network. At the time of writing (five days after the attack is understood to have taken place) the Campari and Campari Group websites were loading but at noticeably reduced speeds.

“Campari Group informs that, presumably on 1 November 2020, it was the subject of a malware attack (computer virus), which was promptly identified. The Group’s IT department, with the support of IT security experts, immediately took action to limit the spread of malware in data and systems,” Campari wrote in a statement.

“Therefore, the company has implemented a temporary suspension of IT services, as some systems have been isolated in order to allow their sanitization and progressive restart in safety conditions for a timely restoration of ordinary operations.”

A Ragnar Locker sample discovered by security researcher Pancak3 shows a ransom note demanding $15 million to restore 2TB of stolen unencrypted files which the hacking group claims include banking statements, documents, contractual agreements and emails.

In return for the sum, the Ragnar Locker said it would delete the data and provide a security analysis with recommendations on how Campari Group can shore up its systems. Given the Italian company has chosen to restart its systems, it appears it has no intention of paying the ransom, a course of action generally recommended by security researchers as attackers are increasingly keeping hold of stolen data even if they are paid what they demand.

In April 2019 US beverage company Arizona Beverages‘ systems were taken down by another ransomware infection, iEncrypt.