Cyber Incident Victim: FARO Technologies

FARO Technologies, a specialist in 3D measurement and imaging, appeared on the Revil/Sodinokibi ransomware operators' leak site on May 20, 2020. The attackers threatened to release 1.5 terabytes of stolen data unless their demands were met, following through with this threat two days later on May 22. In their initial claim, the operators stated they had exfiltrated several terabytes of sensitive information, including corporate and client data, technical schematics, and source code. They accused FARO of attempting to conceal the breach and data leak while asserting they were already negotiating to sell "the most interesting data" to third parties. On May 25, the attackers updated their message to announce FARO had found a buyer for the stolen data, describing the transaction as yielding less than their desired amount but "still worthwhile." All references to FARO were subsequently removed from the ransomware group's website.

The attackers typically allowed victims seven days to negotiate before escalating demands, with some cases extending to two weeks, but FARO's case resolved unusually quickly. Security researchers identified potential attack vectors, including an internet-exposed Remote Desktop Protocol (RDP) service on a FARO-associated machine and a Citrix Netscaler system vulnerable to CVE-2019-19781 ("Shitrix"). This Citrix vulnerability was detected in scans between December 8, 2019, and February 8, 2020, with specific confirmation of exploitability on January 11 and January 15. No direct link was established between these vulnerabilities and the ransomware incident. FARO maintained minimal public communication, issuing no statements to investors, the SEC, or press until June 4, when they acknowledged awareness of the leak after multiple media inquiries. The company provided no further updates despite follow-up requests, leaving the scope of data impact and remediation efforts unconfirmed.