Security sources have told iTWire that the group has given Lion time until 19 June to pay up, and threatened to double the ransom after that. The attackers have not yet made their demands public.
Lion, which also operates in New Zealand, is a subsidiary of the Japanese beverage giant Kirin. According to Wikipedia, it has about 7000 employees and its 2015 revenue was $5.6 billion.
A screenshot of the ransom demand.
"Our IT teams and expert cyber advisers have continued working throughout the weekend to investigate this incident, working to bring systems back online safely.
"We have made good progress. However, there is still some way to go before we can resume our normal manufacturing operations and customer service."
The note also said that it was running short of product. "Across our Australian and New Zealand adult beverages businesses, we continue to have limited visibility of our products in our systems," the note added.
"We’re working to bring our breweries back online as soon as possible, hoping to get a number of our breweries back up and running very soon."
REVil, which is also known as Sodinokibi, attacks systems running Microsoft's Windows operating system.
It is one of the growing number of ransomware packages that first exfiltrates files on a victim's system and then encrypts them on-site.
A ransom note is then generated, with instructions provided as to how payment can be made, generally in cryptocurrencies.
If the victim does not pay by the deadline, then files are slowly leaked on the dark web in small amounts as a bargaining tactic.
REvil recently started another way of making money off the data it steals, in the event that the ransom is not paid. It puts up the data for auction.
Contacted for comment, ransomware threat researcher Brett Callow said: "Like multiple other groups, REvil steals data and uses the threat of its release — or, in some cases, auction — as additional leverage to extort payment."
Callow, who works for the New Zealand-headquartered security outfit Emsisoft, added: "Companies in this situation are without a good option. They've been breached, and paying the ransom does not change that. Giving in to the group's demands will simply result in a pinky promise that the stolen data will be destroyed and misused – but, as it's coming from criminals, that pinky promise carries little weight."
iTWire has contacted Lion for comment.