Jack Daniel’s parent Brown-Forman was targeted by the REvil ransomware breach. The group stole 1TB of confidential information and data including employees, company agreements, contracts, financial statements, and internal correspondence. The gang is demanding a huge ransom by threatening to leak the data stolen in the attack.

Brown-Forman Hit by REvil Ransomware Attack: A Multi-Stage Extortion Scheme Unfolds Brown-Forman, the Kentucky-based liquor conglomerate behind global brands like Jack Daniel’s and Finlandia vodka, has fallen victim to a sophisticated ransomware attack orchestrated by the REvil (Sodinokibi) cybercriminal gang. According to reports from Bloomberg, which received an anonymous tip from the attackers, the incident follows REvil’s signature three-stage extortion playbook reconnaissance, data theft, and encryption with a modern twist: double-barrelled blackmail. ### The Attack: How It Unfolded 1. Reconnaissance & Network Infiltration The attackers first breached Brown-Forman’s network, escalating privileges to sysadmin-level access. They mapped the infrastructure, identified backup locations, and disabled security controls to maximize their reach. Trial malware deployments may have been used to test defenses before the full assault. 2. Data Exfiltration (1TB Stolen) Before encrypting files, the gang stole an alleged 1 terabyte of corporate data, spanning over a decade. Bloomberg was provided with links to a dark web portal where sample files were listed as "proof" of the breach. This tactic stealing data before encryption has become a hallmark of modern ransomware, enabling attackers to threaten public leaks if demands aren’t met. 3. Encryption (Prevented in This Case) Typically, REvil would then deploy ransomware to encrypt files across the network. However, Brown-Forman appears to have halted this stage, avoiding the operational disruption seen in other high-profile attacks (e.g., Garmin’s days-long outage). The company has reportedly refused to pay the ransom, a stance that disrupts the extortion cycle but leaves the stolen data at risk of exposure. ### The Evolution of Ransomware: From CryptoLocker to Double Extortion The attack reflects broader shifts in ransomware tactics: - Early Ransomware (2013–2016): Groups like CryptoLocker targeted individual users, demanding $300 per infected device. Later, gangs like SamSam pivoted to network-wide attacks, offering "bulk decryption" for tens of thousands of dollars. - Modern Extortion (2019–Present): REvil and others now steal data first, then encrypt, creating a dual threat: pay for decryption and to prevent a data leak. Recent victims, including Garmin and CWT, have paid millions Garmin reportedly negotiated a $10M demand down to an undisclosed sum, while CWT paid $4.5M for 30,000 encrypted devices. ### Regulatory and Ethical Implications Under most data protection laws, all ransomware attacks are breaches even if files are only encrypted. However, the pre-encryption data theft amplifies the stakes. Companies face: - Regulatory scrutiny for failing to protect data. - Reputational damage if stolen data is leaked (e.g., internal documents, customer records). - No guarantee that paying will prevent leaks attackers may sell or re-extort the data. Brown-Forman’s refusal to pay aligns with the approach of other victims, like law firm Grubman Shire Meiselas & Sacks, which rejected REvil’s threats to auction celebrity data. While the stolen data remains unpublicized, the incident underscores the growing audacity of ransomware gangs and the challenges of deterring them. ### Key Takeaways - Target: Brown-Forman (Jack Daniel’s, Finlandia vodka). - Attackers: REvil (Sodinokibi) gang. - Method: Three-stage extortion (reconnaissance, data theft, encryption). - Data Stolen: 1TB, including files dating back over 10 years. - Outcome: Encryption stage blocked; company refused ransom demands. - Broader Trend: Ransomware gangs increasingly use data theft as leverage, with demands now reaching millions per attack. The incident highlights the escalating financial and operational risks of ransomware, as well as the difficult choices victims face in responding to extortion.

The Maine Office of the Attorney General disclosed on May 10, 2021, that Brown-Forman Corporation suffered a data breach due to unauthorized access to its internal network, initially detected on July 28, 2020, and confirmed on August 4, 2020. The incident impacted 72 individuals, with compromised data potentially including Social Security numbers (SSNs) and credit card information linked to expired cards. The breach exposed sensitive personal and financial details, raising concerns over identity theft, fraud, and reputational harm. While the compromised credit card data pertained to expired cards—reducing immediate financial risk—the exposure of SSNs poses long-term threats, as such information is permanent and highly valuable to cybercriminals. The company likely faced regulatory scrutiny, customer distrust, and potential legal liabilities due to the failure to safeguard personally identifiable information (PII). The attack underscores vulnerabilities in corporate network security, particularly in protecting high-value employee and customer data from unauthorized intrusions. Though the scale was limited to 72 individuals, the nature of the exposed data elevates the severity of the incident.

The California Office of the Attorney General reported a data breach involving Brown-Forman Corporation on August 25, 2020. The breach occurred on July 28, 2020, and involved a cyber attack that compromised personal information about current and former employees, as well as certain beneficiaries. Approximately, the data included names, Social Security Numbers, email addresses, home addresses, job titles, and salary information, although the number of affected individuals was not specified.