Cyber Incident Victim: Dairy Farm
Date:
Jan 2021
Location:
Hong Kong
Summary
A major Pan-Asian retail conglomerate experienced a REvil ransomware attack, with threat actors encrypting systems and demanding a $30 million ransom. The attackers maintained network access for seven days post-compromise, including control over corporate email systems intended for phishing operations. The victim organization confirmed the cyber incident impacted fewer than 2% of business servers, which were isolated and taken offline while maintaining all store operations except where pandemic restrictions applied. External security specialists assisted with investigation and implementation of enhanced monitoring and protective measures. This attack signaled renewed large-scale ransomware operations following a temporary reduction during holiday periods.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around January 14, 2021, the REvil ransomware operation compromised the network of Dairy Farm Group, a pan-Asian retail conglomerate operating over 10,000 outlets across grocery, convenience store, health and beauty, home furnishing, and restaurant brands including Wellcome, Giant, Cold Storage, 7-Eleven, Mannings, and Ikea. Attackers encrypted devices and demanded a $30 million ransom, as disclosed to BleepingComputer by a threat actor claiming involvement. The attackers asserted persistent network access seven days post-compromise, including control of corporate email systems intended for phishing campaigns. They claimed Dairy Farm’s operational dependency on its network prevented full shutdown despite the presence of over 30,000 hosts. Dairy Farm confirmed a January cyberattack impacting less than 2% of business servers, which were isolated and taken offline. The company engaged external security specialists for investigation while implementing additional security measures and enhanced monitoring. All stores remained operational except where mandated by COVID-19 restrictions, with no reported closures directly attributable to the incident.
The attack represented a resurgence of large-scale enterprise ransomware operations following a lull during the 2020 Christmas holidays, coinciding with contemporaneous attacks such as the global incident against crane manufacturer Palfinger. Dairy Farm’s public statement emphasized business continuity across its 230,000 employees and $27 billion annual revenue footprint, characterizing the incident as limited to server infrastructure without disrupting customer-facing operations. No evidence of data exfiltration or secondary impacts like supply chain disruptions was disclosed in available reporting. The company’s containment strategy focused on segmentation of affected systems rather than full network shutdown, consistent with attacker claims regarding operational dependencies. Dairy Farm did not publicly address ransom demands or confirm any financial transactions with threat actors.