The REvil Ransomware Gang Lists Three New Engineering Makers as Victims

Written by Bill Toulas
Last updated September 25, 2021

REvil’s press release Tor site called “Happy Blog” has just been enriched with three new victims, all companies that engage in the engineering manufacturing field making specialized products for the international market. The victims are Lydall, Keyence, and Asarco, and in all cases, we can see the publication of sensitive documents that appear to belong to employees of these companies.

More specifically, the REvil has let out national ID cards, passports, certificates, and salary lists. In one case, we can also see a mutual non-disclosure agreement.

Lydall is a Connecticut-based filter solutions developer and producer of specialized goods like filters, thermal, acoustical, and separation units, all sold on the international market. The firm is listed in the New York stock exchange and has 3,000 employees in the U.S., Canada, Europe, and the Asian-Pacific region.

Keyence is a Japanese maker of sensors, measurement systems, laser markers, microscopes, and machine vision systems. They are considered one of the leaders in the field of factory automation - and also sell their products worldwide. REvil appears to have compromised the German base of the company, as this is actually where the only production hub of the firm outside of Japan exists.

Asarco (American Smelting and Refining Company) is a Tuscon-based copper mine and supplier giant with a presence in the U.S., Mexico, and Peru. The company’s domestic mines produce up to 300 million pounds of copper every year, while Mexico-based refineries output 375 million pounds (170 million kg) of refined copper.

None of the three websites of the allegedly victimized entities have any apparent problem, and we can see no announcements of a data breach or any production hiccups from any of them. As such, we cannot confirm the validity of REvil’s claims, even if this group has a proven track record in its reliability. We have reached out to all three companies asking for a comment, so we will update this post once we hear back from any of them.

Here’s what Irina Nesterovsky, Chief Research Officer at KELA, had to comment about attacks on large engineering companies like the ones listed by REvil this time:

Of the three recent victims attacked by REvil ransomware, one was a victim of a "double attack" case - a situation where a victim was attacked by two ransomware groups within a short period of time from one incident to the next. We've seen this occur numerous times in the past, for example, with Cobb Technologies, where they were listed on DarkSide's data leak site in December 2020 and published on Netwalker's site just a month later. These "double attack" cases - which we've seen occur at least four times in the last few months - showcase the need for organizations to patch vulnerabilities in their network infrastructure.

Initial access brokers - the tier of cybercriminals who obtain network access, move laterally within the network, and eventually sell the compromised access to ransomware affiliates and gangs - generally do not sell their access to more than one buyer (out of courtesy to fellow cybercriminals). Though there are numerous initial access vectors, we presume that unpatched vulnerabilities are more common to be exploited by multiple groups for the same victim, making it a necessity for organizations to continually prioritize patching and monitor their network infrastructure.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: