Dark Web Ransom Group REvil Claims Ransomware Attack on Multi-Billion Dollar Chinese Manufacturing Giant Midea

The REvil ransomware gang claims to have launched a hack against Chinese electrical appliance maker Midea Group and has posted what is believed to be stolen data on the dark web.

The REvil ransomware gang, sometimes known as Sodinokibi, which once dominated dark web ransom, resurfaced in April 2022 after shutting down for several months following its infamous hack of Kaseya in 2021.

The American Group was one of the first high-profile victims of REvil since it reappeared earlier this year, although the authenticity of the attack has not been officially confirmed.

Meitei Group is present almost worldwide, and their air conditioners, home appliances including refrigerators, washing machines and microwaves can be found in almost every store in the world.

The multi-billion dollar Chinese company claims to be the world's number one manufacturer of major appliances and has extensive business partnerships with global organizations and sports clubs such as Manchester City Football Club and Corinthians.

The company claims to have average annual revenues of $53.3 billion and is ranked 245th on Fortune's Global 500 list.

REvil claims to have stolen a variety of different data from Midea, including its product lifecycle management (PLM) system - containing blueprints and firmware source code - as well as financial information "that it was prepared to sell," it said in an announcement post.

It also claimed to have "a large amount of source code" and data from the Git and SVN version control systems, "which [it] will be releasing soon.

As seen in REvil's dark web blog, it stole a considerable amount of internal data. According to screenshots posted by the ransomware group, the US group had much more than 3.09 terabytes of data stolen.

REvil has posted a large number of files allegedly taken from Midea on the Dark Web, including scans of physical and digital identity files, screenshots allegedly from inside the company's VMwarev Sphere client, a large number of compressed 7zip archives and SSH keys.

REvil is known for employing a dual ransom model for ransom operations, and the threat of selling data, while seemingly disarmed somewhat, is consistent with the group's older methods. While they threatened to sell the data if the ransom wasn't paid in the usual manner, the data had been released at the same time.

After resurfacing in April, REvil said another of its victims, Indian Oil Corporation, refused to negotiate with it, leading to the compromise of the company's stolen data.

The ransom group REvil, which hails from Russia and is known for its historic attacks on major companies such as Kaseya and JBS Foods, but some members of the group were arrested as part of a coordinated international law enforcement operation in November 2021.

Russian law enforcement also arrested additional alleged members in January 2022, although some believe this may have been done as political leverage against the United States.

Russian law enforcement FSB said they managed to completely shut down REvil's activities and arrest all 14 remaining members, and FSB has said that "the criminal organization no longer exists and its infrastructure for criminal purposes has been destroyed.

But in a Twitter post yesterday, VX-Underground (@vxunderground), a leading malware research and security analysis expert, said.

Lower-level affiliates and affiliated members were arrested, not primary members. Those arrested were charged with misdemeanors, fined small amounts, and then released.

The announcement posted by REvil on a dark web blog (http://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion/Blog) reads as follows:

Midea Group is a Chinese electrical appliance manufacturer, headquartered in Beijiao town, Shunde District, Foshan, Guangdong and listed on Shenzhen Stock Exchange. As of 2021, the firm employs approximately 150,000 people in China and overseas with 200 subsidiaries and over 60 overseas branches. Revenue 40b+, Midea Group comprises of five strategic business pillars: Smart Home, Industrial Technology, Building Technologies, Robotics & Automation, and Digital Innovation. Midea Group has over 160,000 employees in over 200 countries and regions, and ranks #245 on the Global Fortune 500 list of 2022.

We have all data from plm system(blueprints, source of firmware, etc) and also we have financial information which we are ready to sell.

A lot of source code, git and svn which will be publish soon.

And some screenshots, zip evidence of the intrusion are posted at: http://ttn4gqpgvyy6tuezexxhwiukmm2t6zzawj6p3w3jprve36f43zxr24qd.onion/Midea/