Cyber Incident Victim: Grupo Fleury
Date:
Jun 2021
Location:
Brazil
Summary
Grupo Fleury, a major Brazilian medical diagnostics provider, experienced a disruptive ransomware attack attributed to the REvil (Sodinokibi) group, forcing systems offline and halting online patient services like lab test scheduling. The attackers demanded $5 million for a decryptor, though no evidence of stolen data was initially provided, raising concerns over potential exposure of sensitive patient medical and personal information due to REvil's history of data exfiltration. The incident significantly impacted operations across the company's extensive network of service centers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 22, 2021, Brazilian medical diagnostics company Grupo Fleury experienced a ransomware attack that disrupted its business operations. The company, Brazil’s largest provider of clinical exams with over 200 service centers and 10,000 employees, took its systems offline in response to the incident. By June 23, its website displayed an alert notifying users of system unavailability caused by an "attempted external attack," with services being prioritized for restoration through technical efforts. Cybersecurity sources confirmed to BleepingComputer that the REvil (Sodinokibi) ransomware operation was responsible for the attack. A sample of the ransomware shared with BleepingComputer revealed a $5 million ransom demand for a decryptor and a promise not to leak allegedly stolen data. REvil’s involvement aligned with its established pattern of exfiltrating data before encryption to pressure victims, though no proof of data theft or victim-specific references were publicly disclosed in the sample at the time of reporting. Grupo Fleury did not officially confirm the ransomware attack but acknowledged the cyber incident’s impact on operations.
The attack caused significant operational disruptions, preventing patients from scheduling lab tests or clinical exams online. With Grupo Fleury handling approximately 75 million exams annually, the downtime posed widespread service delays. Concerns arose over potential exposure of sensitive patient data, including personal and medical information, given REvil’s history of data theft and the company’s vast diagnostic operations. The company’s response focused on restoring systems, with its public statement emphasizing resource allocation and technical efforts to standardize services. REvil’s ransom note did not specify a leak deadline or provide evidence of stolen data, leaving the full scope of data compromise unclear at the time of initial reporting. The incident marked another high-profile attack attributed to REvil, which had previously targeted Brazil’s Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens, and global meat producer JBS. Grupo Fleury’s restoration timeline and whether negotiations or payments occurred were not disclosed in available sources.