Campari staggers to its feet following $15 million Ragnar Locker ransomware attack


November 09, 2020

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Campari staggers to its feet following $15 million Ragnar Locker ransomware attack
  • Campari has managed to restore some of its IT systems following attack
  • Headaches continue for drinks manufacturer after ransom demand over stolen data

Campari, the company famous around the world for its dark red alcoholic liqueur, says that it has managed to bring some of its IT systems back to working order after hackers attacked its network with ransomware.

However, a number of its IT systems remain suspended – either temporarily or deliberately – or are only capable of limited functionality while the IT teams attempts to restore operations in a secure way.

Campari was targeted by hackers using the Ragnar Locker ransomware. According to some reports, the malware attack managed to encrypt data on 24 of the company’s servers around the world, and the hackers responsible have demanded a cryptocurrency ransom worth $15 million.

In its ransom note, the group claimed it had stolen 2TB worth of files from Campari’s servers, including sensitive information including bank statements, social security numbers, tax forms, contracts, and even passport details.

The hackers claim that if they do not receive the ransom they will either release the sensitive data to the public, or sell it on to other criminals. To raise the heat somewhat, the attackers shared links to images where screenshots of stolen data could be seen.

Campari Group confirmed last week that data on its network had been encrypted in the attack, and that it was unable to exclude the possibility that some personal and business data had been exfiltrated by the hackers.

The company has made no statement about whether it would be prepared to pay the ransom or not, but for now it certainly sounds as if it has chosen to attempt to rebuild its services on multiple sites, adding additional security measures in a bid to prevent reinfection.

Rebuilding and recovering infected IT systems is one thing, but it doesn’t change the fact that data has been stolen from the infected company – and the damage which could potentially be done if that data was to fall into the laps of criminals prepared to exploit it.

Interestingly, researchers have linked the ransomware attack against Campari with that recently undertaken against video game developer Capcom.

On Twitter, MalwareHunter Team claimed that the Ragnar Locker ransomware samples used in both attacks were signed with the same digital certificate.

Capcom and Campari. One wonders who might be next on Ragnar Locker’s list…




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like