Leading French cosmetics and pharmaceutical company Pierre Fabre has been struck by a REvil ransomware assault, demanding an initial payment of $25m (£18.2m).

The long-standing cosmetics group dates back to 1962, when Pierre Jacques Louis Fabre pharmacist and cosmetics executive established Laboratoires Pierre Fabre. Today, it is France’s second biggest pharmaceutical group and also has the world’s greatest number of laboratories from dermo-cosmetics, with 10,000 facilities based around the globe. Pierre Fabre creates an extensive array of products from skincare treatments to chemotherapy medication.

Coping with a cyber strike

On March 31, Pierre Fabre officially announced it had been hit by a malicious cyberattack. The group added that its teams had been able to contain the incident within a 24-hour period, regaining control.

In order to stop the dedicated attack spreading throughout its network, Pierre Fabre stated it was necessary for it to perform a temporary halt that was rolled out gradually to a large portion of its production operations.

The cosmetics group commented:

“As a precaution, and in line with its risk management plan, the Group’s information system was immediately put into standby mode to curb the spread of the virus. This led to the gradual, temporary stoppage of most production activities except for the production facility in (the Southern French town of) Gaillac, which manufactures active ingredients for pharmaceuticals and cosmetic products.”

At the time the group made the announcement, no details were offered on the specific sort of cyberattack it had been hit by.

REvil ransomware at work

The IT help site helmed by Lawrence Abrams, BleepingComputer, has since confirmed that the French pharma group suffered a dedicated ransomware attack unleashed by the infamous cybercriminal group REvil, sometimes referred to as Sodinokibi.

A ransomware-as-a-service gang, REvil features a core team of malware developers that enlists affiliates whenever required to compromise the networks of corporations, stealing data left unencrypted before encrypting enterprise devices. When a ransom is grudgingly paid, the developers and their affiliates carve up the sum into shares, agreed beforehand. Typically, the recruited affiliates will receive the lion’s share of the ransom payment.

While full details have not been disclosed regarding the ransomware attack, BleepingComputer viewed a payment page that was part of the hit on Pierre Fabre. The Tor browser page displayed the REvil gang requesting a ransom of $25m. The page showed that the victim had not been in contact within the timeframe allotted, leading the REvil ransom demand to double, requesting $50m instead.

A private link was included to a dedicated data leak page set up for Pierre Fabre, presently hidden but ready to be disclosed if necessary, containing confidential information belonging to the group. The images included on the page included a wealth of personally identifiable information (PII) and private documentation such as stolen passport data, a list of company contacts, immigration records and government ID cards.

The REvil gang has been engaged in a cybercrime spree in recent weeks, attacking many major enterprises while demanding exceptionally high ransom amounts.