AlphV Ransomware Gang Attacks Coca-Cola Femsa

The AlphV ransomware gang, also known as BlackCat, has attacked Coca-Cola Femsa. Coca-Cola Femsa is the largest Coca-Cola franchise bottler in the world by sales volume. It produces and distributes trademark beverages for The Coca-Cola Company, offering a portfolio of 134 brands to a population of more than 270 million. With over 97 thousand employees, it markets and sells approximately 3.8-billion-unit cases through more than 2 million points of sale a year. It operates 56 manufacturing plants and 249 distribution centers.

AlphV has published a sample of data stolen from Coca-Cola Femsa, including financial, PII, and database data. First observed in late 2021, ALPHV/BlackCat employs a well-developed RaaS (Ransomware-as-a-Service) platform that encrypts by way of an AES algorithm where the AES key is encrypted using an RSA public key. ALPHV/BlackCat has the ability to disable security tools and evade analysis.

Rapid Growth and Technical Sophistication

ALPHV/BlackCat has rapidly become one of the more active RaaS platforms over the course of 2022. ALPHV/BlackCat is thought to be the first ransomware group using RUST, a secure programming language that offers exceptional performance for concurrent processing. The ransomware also leverages Windows scripting to deploy the payload and to compromise additional hosts. The developers have also been linked to DarkSide/BlackMatter ransomware attacks and may simply be a rebranding of those campaigns.

Double Extortion Schemes

ALPHV/BlackCat also exfiltrates victim data prior to the execution of the ransomware – including from cloud-based deployments - to be leveraged in double extortion schemes to compel payment of the ransom demand. They have one of the more generous RaaS offerings, offering as much as 80-90% cut to affiliates.