Cyber Incident Victim: Agromart Group
Date:
May 2020
Location:
Canada
Summary
Agromart Group, a Canadian agricultural services provider, experienced a ransomware attack by the Sodinokibi/REvil threat actors, who exfiltrated sensitive corporate data including accounting documents, databases, and internal communications. The attackers initiated an auction for the stolen information, requiring a $5,000 registration deposit and setting a $50,000 minimum opening bid, while also publicly releasing unredacted internal emails detailing the victim's breach response efforts and operational discussions. The compromised data posed risks of corporate espionage, intellectual property theft, and potential identity theft through exposed personnel records, with the threat actors leveraging the publication of sensitive correspondence to amplify reputational damage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2020, Agromart Group, a Canadian agricultural services provider, experienced a ransomware attack conducted by the Sodinokibi/REvil threat actor group. The attackers exfiltrated sensitive corporate data, including accounting documents, accounts, databases, and operational information spanning the previous three months, comprising 22,328 files in PDF, DOCX, and XLSX formats alongside three distinct databases. Following the attack, REvil initiated an unconventional escalation by launching a dedicated auction platform to sell the stolen data, marking an evolution in ransomware tactics. Prospective buyers were required to register on the auction site, deposit $5,000, and place opening bids starting at $50,000, with an immediate purchase option set at $100,000. The auction was scheduled to conclude within seven days of its announcement in December 2023, though the outcome remained uncertain at the time of reporting. This approach mirrored REvil's previously announced but unrealized plan to auction files related to Madonna from a law firm breach, positioning Agromart as one of the first entities subjected to this specific monetization method.
The threat actors compounded operational disruption by publicly releasing unredacted internal Agromart communications exfiltrated during the attack. Published materials included transcribed notes from corporate conference calls discussing breach response strategies, internal emails detailing incident management steps, and correspondence revealing organizational concerns about the attack’s implications. This selective disclosure appeared designed to embarrass the company and expose its internal deliberations, particularly regarding breach containment efforts conducted through corporate communication channels. While the published correspondence did not disclose the ransom amount demanded by REvil, it highlighted potential risks stemming from the data exposure, including competitive harm from intellectual property theft and identity theft risks associated with compromised personnel information. The attackers separately claimed prior success in selling exfiltrated data allegedly related to Donald Trump, though the validity of those assertions remained unverified. Agromart’s incident exemplified the dual extortion model combining encryption with data auctioning, expanding the potential harm beyond operational downtime to long-term reputational and financial damage from sensitive information exposure.