Cyber Incident Victim: Harvest Sherwood Food Distributors
Date:
May 2020
Location:
United States of America
Summary
Harvest Sherwood Food Distributors suffered a ransomware attack by the REvil group, which exfiltrated approximately 2,600 files including cash-flow analyses, distributor details, business insurance documents, vendor information, and scanned driver’s licenses from its distribution network. The attackers demanded ransom payments initially negotiated at $4.25 million and later $7.5 million, threatening public disclosure of the stolen sensitive data. The incident involved communications facilitated through a ransomware mitigation firm, with the compromised data posing risks of financial exploitation and exposure of personally identifiable information. This attack occurred alongside a separate high-profile breach targeting a celebrity law firm, both attributed to the same threat actor group known for leveraging stolen data for extortion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Harvest Sherwood Food Distributors ransomware incident began on or around May 3, 2020, when attackers from the REvil (Sodinokibi) ransomware group infiltrated the company's systems. The threat actors exfiltrated approximately 2,600 files containing sensitive business data before deploying ransomware. Stolen information included cash-flow analyses, distributor network details, business insurance documents, vendor information, and scanned images of driver's licenses belonging to individuals in Sherwood's distribution network. REvil operators publicly disclosed the breach through their "Happy Blog" Tor hidden service, posting screenshots of ransom negotiations between themselves and Coveware, the ransomware mitigation firm hired by Sherwood. These communications revealed the company initially offered $4.25 million, later increasing to $7.5 million, to prevent public release of the stolen data. Sherwood maintained a policy of not commenting on active criminal investigations throughout the incident.
This attack occurred concurrently with REvil's high-profile breach of celebrity law firm Grubman Shire Meiselas & Sacks (GSM), though the Sherwood compromise represented a separate intrusion targeting critical supply chain operations. The stolen driver's license images and distributor data exposed personally identifiable information (PII) that could facilitate identity theft or secondary attacks against Sherwood's business partners. REvil's operational patterns indicated the intrusion likely occurred through common attack vectors including phishing emails, exploitation of vulnerabilities such as the Oracle WebLogic bug, or compromised managed security service providers. While Sherwood engaged professional negotiators, the final resolution regarding ransom payment or data release remained unconfirmed in available reporting. The incident demonstrated REvil's continued targeting of essential industries during global disruptions, following their previous attacks against Travelex foreign exchange and municipal governments. Harvest Sherwood faced potential operational disruption from both data encryption and the threat of exposing proprietary distributor networks and financial records.