A privately-owned business set up in 1993, Chem Pack says on its website it has grown its business significantly over the years. The company is located in Derrimut, a suburb of Melbourne, near the Western Ring Road.
The attackers who hit the company did not say when they had done so, putting up a screenshot on the dark web of some of the data exfiltrated and advising Chem Pack to make contact.
They claim to have financial information, personal information of clients and other "important private documents".
iTWire has written to Chem Pack asking for comment.
A screenshot of the Chem Pack data listed on the REvil website on the dark web.
The people behind the software make a ransom demand and then wait to hear from the victim. If the ransom is not paid, then some of the data that has been pilfered during the attack is published.
If a REvil victim is not persuaded by this, then more data is made public. REvil also posts data on underground forums for other miscreants to pick up and use for their own nefarious purposes.
The ransomware is able to exploit a 2018 vulnerability in Windows to elevate privileges, a flaw that Microsoft rates as important.
According to Secureworks, the first instances of REvil were delivered by exploiting vulnerabilities in Oracle WebLogic. Since then, it has also added functionality to attack through malicious spam campaigns and remote desktop protocol attacks.
Contacted for his take on the incident, well-known ransomware threat researcher Brett Callow said: "Incidents such as this represent a risk to both the target company and its customers and business partners and, unfortunately, they have become a daily event.
"But they needn't be, as they're mostly preventable. If companies were to adhere to well-established security best practices, they could avoid being hit."
Callow, who works for the security company Emsisoft which has its headquarters in New Zealand, said companies in this situation did not have a single good option.
"They've been breached, their data and their customers' data is in the hands of cyber criminals and paying the reason doesn't change that," he said.
"Even if they decide to give in to the criminals' demands, they'll simply receive a pinky promise from a bad faith actor that the stolen data will be deleted.
"Yeah, right. Why would a criminal enterprise ever delete data that it may be able to further monetise? The answer is that it probably wouldn't."