The Sodinokibi / REvil extortionists that struck Lion recently, encrypting and exfiltrating the beverage giant's corporate data want US$800,000 ($1.24 million) in ransom, a sum that will double in two days.
The Herald has viewed the ransom note which points to a hidden transaction site hosted on a Russian network where victims are asked to pay the REvil / Sodinokibi criminals.
• Beer shortages possible after Lion brewery shut down following cyber attack
• Lion ransomware attack: Speights back online, but supply problems continue for other beers
• Lion: Ransomware attack causing significant problems
• Cyber attack at Lion brewery disrupts supply of beer
To obtain decryptor software that the ransomware criminals promise will work and not delete or corrupt the scrambled files, Lion is required to buy $800,000 worth of the Monero cryptocurrency, either directly via an exchange, or by first obtaining Bitcoin.
Monero uses an obfuscated public ledger, making it difficult to see the sender of the funds, and the destination and amount of the transaction.
The transaction site offers a live chat window for contacting the ransomware criminals, which contains a message threatening the publication of the corporate data copied.
"This is while hidden post, but it will be published after time expired. If you don't pay anyway, we publish download link for all your confidential files.
"You will lose reputation for clients, get different penals because you didn't protected personal data, your competitors or other people from public will use your financial data in their interests. If you don't want that, I recommend you pay money in time.
"We see that you are visiting this page. Contact us to this chat to get us know that you are collecting the payment, because we are going to publish a post about you in the blog already."
While the Herald won't publish the locations of the ransom note and transaction sites, they have been posted on social media.
Ransomware: What it's costing NZ, two killer tips to stop it
This opens up the possibility of anyone who finds the transaction site being able to negotiate with the ransomware criminals to buy the data they have taken.
Privacy and data protection partner Richard Wells at Auckland law firm Minter Ellison Rudd Watts warned that anyone buying data taken from someone else via ransomware attacks would likely be committing a crime.
"Since the data would contain personal information, buying it would definitely be interfering with people's privacy," Wells said.
Buying corporate data in this manner would be "an incredibly dumb thing to do" for competing companies, as obtaining the information via illegitimate sources would be a massive reputational risk, he added.
Wells also cautioned that companies paying ransoms could be caught in strict anti-corruption and bribery laws, especially those in the United Kingdom and the United States.
Individuals paying ransoms can do so, but Wells said such deals are risky.
"It's not like there's an enforceable contract or anything with the ransomware criminals," Wells said.