{ "id": "861b9e3e-f471-4600-b8ab-f3ea27f57ec0", "created_at": "2026-04-06T00:18:35.605213Z", "updated_at": "2026-04-10T13:12:05.076567Z", "deleted_at": null, "sha1_hash": "e687973a24fa5580a8b53716ee874dcd447c49e3", "title": "Hong Kong firm becomes latest marketing company hit with REvil ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45940, "plain_text": "Hong Kong firm becomes latest marketing company hit with REvil\r\nransomware\r\nBy Written by Jonathan Greig, ContributorContributor Oct. 5, 2021 at 3:27 p.m. PT\r\nArchived: 2026-04-05 13:07:42 UTC\r\nHong Kong marketing firm Fimmick has been hit with a ransomware attack, according to a British cybersecurity\r\nfirm monitoring the situation.\r\nZDNET Recommends\r\nFimmick has offices in Hong Kong and across China, serving several high-profile clients like McDonalds, Coca-Cola, Shell, Asus and others. \r\nTheir website is currently down, and there was no response to ZDNet requests for comment. Matt Lane, CEO of\r\nUK-based cybersecurity firm X Cyber Group, said his team routinely \"scrutinizes the activities of cybercriminals\r\nfor evidence of their behaviors\" as a way to protect clients and customers. \r\nOn Tuesday, they discovered that REvil had breached Fimmick's databases and claimed to have data from a\r\nnumber of global brands. Lane shared screenshots showing REvil's threatening posts toward Fimmick that\r\nincluded information stolen from the company's website.\r\n\"We discovered this intelligence as part of those routine activities. We noted, with interest, that the attacker's\r\n'Happy Blog' also appears to be temporarily unavailable but have no further information as to why that might be,\"\r\nLane said, adding that the criminal group also shared a directory structure of the stolen data.\r\n\"You can see Cetaphil, Coca-Cola, Hana-Musubi and Kate Spade are listed.\" \r\nRansomware gangs have targeted marketing firms multiple times over the last few years because of their ties to\r\nlarger companies with more valuable data. \r\nJohn Hammond, the senior security researcher at Huntress, said that for ransomware operators, the most attractive\r\ntargets are the ones that lead to even more targets. \r\n\"In the same vein that cybercriminals prefer a spray-and-pray approach -- always opting for the easiest targets and\r\nthe low-hanging fruit -- ransomware gangs love a one-to-many approach, which requires less effort to bring\r\ngreater results,\" Hammond said. \r\n\"Marketing firms, PR firms, and organizations that integrate closely with other businesses could have a plethora of\r\ndata and information that make targeting the next victim even easier. Much like service providers, attacking one\r\ncould start a domino effect to target others that the original victim worked with. Attacking a marketing firm or PR\r\nfirm allows ransomware gangs to get a bigger bang for their buck.\"\r\nhttps://www.zdnet.com/article/hong-kong-firm-becomes-latest-marketing-company-hit-with-revil-ransomware/\r\nPage 1 of 2\n\nAllan Liska, a ransomware expert with cybersecurity company Recorded Future, said there have been at least\r\nthree other marketing firms hit with ransomware over the last year. \r\nWieden+Kennedy was attacked in November 2020 but was forced to notify Oregon Department of Justice\r\nofficials in April after employees' personal information was exposed during the incident. MBA Group was hit in\r\nMarch and Empirical Research Partners in September. \r\n\"I don't know if they are particularly ripe compared to other industries, but I could see marketing firms being more\r\nvulnerable to attack, especially phishing attacks as they are used to dealing with a diverse client base and likely\r\nreceive a lot of emails with attachments, which is a favorite initial access vector for many ransomware groups,\"\r\nLiska said. \r\n\"The actual number of marketing firms hit is likely much higher, but unlike hospitals or schools, when a\r\nmarketing firm gets hit with ransomware, it doesn't make the news.\"\r\nSecurity\r\nSource: https://www.zdnet.com/article/hong-kong-firm-becomes-latest-marketing-company-hit-with-revil-ransomware/\r\nhttps://www.zdnet.com/article/hong-kong-firm-becomes-latest-marketing-company-hit-with-revil-ransomware/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/hong-kong-firm-becomes-latest-marketing-company-hit-with-revil-ransomware/" ], "report_names": [ "hong-kong-firm-becomes-latest-marketing-company-hit-with-revil-ransomware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434715, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e687973a24fa5580a8b53716ee874dcd447c49e3.pdf", "text": "https://archive.orkl.eu/e687973a24fa5580a8b53716ee874dcd447c49e3.txt", "img": "https://archive.orkl.eu/e687973a24fa5580a8b53716ee874dcd447c49e3.jpg" } }