Cyber Incident Victim: La Concha
Date:
May 2021
Location:
Mexico
Summary
The Mexican food company La Concha was compromised by the Grief ransomware group, resulting in the theft of approximately 1 GB of sensitive data. Grief publicly listed La Concha among multiple international victims on their Tor leak site, alongside entities from education, government, and manufacturing sectors. The attackers exfiltrated victim data as leverage but refused to disclose intrusion timelines, ransom demands, or specific data types during communications. Grief emphasized a strict "Pay or Grief" extortion model, rejecting negotiations, discounts, or delays while criticizing organizations for inadequate data protection and wasteful spending on incident response consultants. The group claimed to avoid targeting core healthcare systems but indicated willingness to attack lucrative peripheral medical sectors like plastic surgery or pharmaceuticals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
La Concha, a Mexican company operating in the food and confectionery sector, was publicly listed as a victim of the Grief ransomware group in late May 2021. The attackers exfiltrated approximately 1 GB of data from the company's systems before listing La Concha on their Tor-based leak site alongside four other confirmed victims. Grief's standard operational procedure involved stealing victim data prior to encryption, then threatening to publish the information unless ransom demands were met. The group did not disclose the exact intrusion date, specific systems compromised, or whether they maintained persistent access within La Concha's network following the initial breach. No details emerged regarding the nature of stolen data beyond its volume, though Grief generally claimed possession of sensitive corporate information without confirming whether employee or customer personal data was included.
The incident formed part of Grief's broader ransomware campaign targeting multiple international organizations across different sectors, including government entities and private corporations. Attackers adopted an uncompromising negotiation stance, refusing discounts or extended timelines for payment while criticizing victims for investing in cybersecurity insurance and professional negotiators instead of paying ransoms directly. Grief justified their actions by accusing victim organizations of inadequate data protection practices, specifically referencing non-compliance with GDPR obligations despite La Concha's non-EU jurisdiction. The group maintained operational security by withholding technical details about intrusion methods and ransom amounts during communications with journalists. Public confirmation of the breach came exclusively through Grief's leak site, with no subsequent disclosures from La Concha regarding containment measures, system restoration processes, or regulatory notifications to Mexican authorities.