Cyber Incident Victim: Kenneth Cole Productions
Date:
Feb 2020
Location:
United States of America
Summary
The U.S. fashion company Kenneth Cole Productions suffered a ransomware attack by the Sodinokibi (REvil) group, which exfiltrated and threatened to publish sensitive data unless a ransom was paid. Attackers claimed possession of over 70,000 internal documents containing financial records, employee severance details, and cash projections, alongside more than 60,000 customer records with personal information. The ransomware operators, operating under a Ransomware-as-a-Service model, leaked portions of the data publicly to pressure the victim and warned of full disclosure if demands were unmet. This incident exemplified a broader trend among ransomware gangs to steal and leak data pre-encryption, escalating extortion tactics by threatening reputational harm and potential stock market impacts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 28, 2020, the Sodinokibi ransomware group (also known as REvil) publicly claimed responsibility for a cyberattack targeting Kenneth Cole Productions, a major U.S. fashion company. The attackers published download links to files they alleged contained stolen data from the organization, threatening full disclosure unless ransom demands were met. According to their statements, the compromised data included over 70,000 documents containing financial records, internal work documents, cash projections, employee severance information, and records of money owed to the company. Additionally, they claimed possession of more than 60,000 records containing customers' personal information. The ransomware operators issued a public ultimatum warning that the complete dataset would be published if Kenneth Cole failed to respond before their deadline expired, explicitly emphasizing the impending exposure of customer data.
Sodinokibi operated under a Ransomware-as-a-Service model where affiliates distributed the malware while core operators managed development and ransom negotiations. This incident followed their established pattern of data exfiltration prior to encryption, with stolen information used as leverage to pressure victims into payment. The group had previously employed similar tactics against Artech Information Systems in January 2020, threatening to sell stolen data on cybercriminal platforms. Kenneth Cole did not publicly confirm the attack or validate the authenticity of the leaked data when contacted by media outlets. The attack reflected an emerging trend among ransomware operators, pioneered by Maze ransomware in late 2019, where data theft and staged leakage supplemented encryption-based extortion. Concurrently, Sodinokibi had announced intentions to escalate pressure on publicly traded companies by notifying stock exchanges about breaches—a tactic potentially aimed at influencing stock prices to coerce ransom payments. The FBI had recently disclosed that ransomware payments exceeded $140 million in bitcoin over six years, with Sodinokibi among multiple groups adopting increasingly aggressive data-leverage strategies throughout early 2020.