Hackers Claim Coca-Cola Bottler Paid $1.5 Million to Keep Lid on ‘Certain’ Files Stolen in Ransomware Attack

Coca-Cola FEMSA, the world’s largest franchise Coca-Cola bottler, allegedly suffered a cyberattack, prompting management to pay the hackers ransom to prevent the leak of “certain” files.

A threat actor known as “TheSnake” allegedly acquired a “full database Coca-Cola FEMSA containing company information, confidential photos and files, and much more,” reports DataBreaches.net, which covers daily data breach events and leaks.

In a typical ransomware attack, the threat actor and his crew allegedly penetrated the company’s IT infrastructure twice in just over a year, resulting in a data dump exceeding 8 GB (5.8 GB compressed).

According to a screenshot posted to a popular hacking forum, the threat actors threatened Coca-Cola FEMSA with the following message:

“As we said, after the specified time, your data will be gradually uploaded to the public domain for everyone. You can still protect your reputation and keep most of the data undisclosed, but you have less and less time to do so. The choice is yours Coca-Cola FEMSA.”

The attackers allegedly obtained complete company information from Mexico, Argentina, Brazil, and Costa Rica, including: “passwords, financial documents, invoices in ZIP and supplier data, data from facilities, company equipment, ad campaign, data and photos of employees, backups and much more.”

While the attackers originally demanded $12 million to delete all the files they’d exfiltrated, the company negotiated to pay $1.5 million to prevent the leak of “certain” files.

“On inquiry, he clarified that they had demanded $12 million to delete all the files they had exfiltrated, but the firm was most concerned about preventing the leak of certain files and the negotiations were focused on a price not to leak those specific files,” DataBreaches reports. “According to TheSnake, the company did pay them $1.5 million not to leak those files.”

The rest of the files are still up for sale on hacking forums, for which the threat actors are asking $65,000.

Coincidentally, the infamous BlackCat (AlphV) ransomware crew claimed responsibility for an attack on Coca-Cola FEMSA and leaked similar data in June.

Upon inquiry, TheSnake denied any connection to BlackCat’s claims.