Leading French pharmaceutical group, Pierre Fabre, suffered a REvil ransomware attack where the attackers are demanding a ransom payment in Bitcoin worth approximately $25 million USD. Pierre Fabre is the second largest pharmaceutical group in France and the second largest dermo-cosmetics laboratory globally. With over 10,000 employees worldwide, Pierre Fabre developes a wide variety of products ranging from chemotherapy drugs to skincare products. Last week, the company announced that they had suffered a cyberattack on March 31st that they brought under control in less than 24 hours. To halt the spread, Pierre Fabre stated that they had to perform a gradual and temporary halt to most production activities. “As a precaution, and in line with its risk management plan, the Group’s information system was immediately put into standby mode to curb the spread of the virus. This led to the gradual, temporary stoppage of most production activities, except for the production facility in Gaillac (in the Tarn in France), which manufactures active ingredients for pharmaceuticals and cosmetic products,” disclosed Pierre Fabre. At the time, Pierre Fabre did not reveal what type of cyberattack they suffered. Since then, BleepingComputer has confirmed that Pierre Fabre suffered a ransomware attack by a hacking group known as REvil/Sodinokibi.
REvil is a ransomware-as-a-service operation, where the core malware developers recruit affiliates to compromise corporate networks, steal unencrypted data, and then encrypt devices. If a ransom payment is made, the core developers and the affiliate split the payment in an agreed-upon revenue share, with the affiliates usually getting the larger share. Bleeping Computer recently received a link for a Tor payment page that was demanding the 25 million dollar ransom. And as there has been no contact with the company, the REvil ransom has been doubled to $50 million. While the payment page does not specifically name the target, the site’s chat screen shows a message from the attacker stating that they are about to release Pierre Fabre’s data. This message is attempting to scare the company into paying the ransom. The link that Bleeping Computer received leads to a currently hidden REvil data leak page that contains images of allegedly stolen passports, a company contact list, government ID cards, and immigration documents.