Cybersecurity Weekly Issue 152: Personal data of 1.6 million Mercedes-Benz customers exposed. Brazil’s largest medical diagnostic company hit by REvil ransomware attack

Grupo Fleury, Brazil’s largest medical diagnostic company, suddenly suspended its services on Tuesday (6/22), and then issued a statement on its official website stating that its system had been attacked by external forces and was down, and that every effort would be made to restore service. Security media BleepingComputer reported that Grupo Fleury has become a victim of the REvil ransomware. Currently, Grupo Fleury’s website is still inaccessible.

Grupo Fleury, with a long history dating back to 1926, is the largest medical service and diagnostic healthcare provider in Brazil, and also the second-largest company in Brazil. It has over 200 service centers and more than 10,000 employees.

According to a statement released by Grupo Fleury to local news media, the company suffered a cyberattack on Tuesday, which caused some of its systems to malfunction. Following its security and control protocols to minimize the impact of the attack, the company is currently assessing the extent of the damage and dedicating all of its resources and technology to restore service as soon as possible.

Grupo Fleury only mentioned that they were hit by a cyberattack, but many cybersecurity researchers have informed BleepingComputer that the perpetrator is actually the REvil (Sodinokibi) ransomware, and is demanding a ransom of up to $5 million from Grupo Fleury in exchange for the decryption tool and a promise not to leak the stolen confidential data.

REvil, which emerged in 2019, offers Ransomware-as-a-Service (RaaS). The cybersecurity community believes it is the work of Russian hackers, in part because it was first advertised on a Russian-language hacking forum. According to a report by Coveware, a consultancy specializing in ransomware victims, REvil was the most active ransomware in the first quarter of this year, with a market share of 14.2%, ahead of Conti V2 at 10.2%, Lockbit at 7.5%, and Clop at 7.1%. Furthermore, most of REvil’s attacks start with software vulnerabilities, followed by phishing emails, with RDP intrusion into enterprises ranking third.

The hacking incidents this year, including Acer, Asteelflash Group (a subsidiary of ASE), Quanta Computer, Sol Oriens (a nuclear weapons subcontractor of the USA), and Invenergy (a renewable energy company of the USA) are said to be linked to the REvil ransomware.