REvil Hits Brazilian Healthcare Giant Grupo Fleury


São Paulo-based medical diagnostic firm Grupo Fleury has suffered a ransomware attack that has impaired business operations after the company shut down its systems. On the 22nd of June, the company website began displaying an alert message, alerting to the fact that its systems were suffering an attack and are no longer accessible.

Brazilian healthcare giant provides medical laboratory services across the nation with over 200 service centers and more than 10,000 employees. The company performs approximately 75 million clinical exams in a year.

"Please be advised that our systems are currently unavailable and that we are prioritizing the restoration of services. The causes of this unavailability originated from the attempted external attack on our systems, which are having operations reestablished with all the resources and technical efforts for the rapid standardization of our services," read the message translated into English. 

With their systems being knocked down, patients are unable to book appointments for labs and other medical examinations online. Since the announcement, multiple cybersecurity sources have confirmed that Grupo Fleury suffered an attack by the ransomware operation known as REvil, also known as Sodinokibi. 

“The Healthcare industry and healthcare supply chain are both one of the top three targeted sectors worldwide. Additionally, REvil are launching a lot of attacks at the moment, having hit a maritime organization in Brazil earlier this month,” Andy Norton, European cyber risk officer at Armis, stated.

The fact that Grupo Fleury's data is of significant concern as it contains enormous amounts of personal and medical data of patients, REvil is demanding $5 million for the decryptor key and the assurance that no vital information will be leaked online. REvil is known for exfiltrating data before encrypting devices and then using the stolen information as leverage to extort money from the company.

“In a previous statement made to the Russian-OSINT Telegram channel, a REvil representative stated that they were targeting Brazil for revenge. However, it is not known what that revenge is for. REvil is known for exfiltrating data and the data could include personally identifiable information and sensitive medical information of their patients and staff, which could be detrimental for the organization,” Jamie Hart, cyber threat intelligence analyst at digital risk protection company Digital Shadows Ltd, said.

Prior to this attack, JBS Foods, the world’s largest meat producer, was the victim of a REvil ransomware attack. JBS paid a ransom of $11 million in order to keep their stolen information from being leaked online. REvil has targeted numerous high-profile organizations, including Brazil's the Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens.