The recent cybersecurity incident at a British bath bomb merchant has been claimed by the Akira ransomware gang, with the hackers boasting that they have obtained 110 GB of data from the global cosmetics giant. Among the stolen data are reportedly personal documents such as passport scans, in addition to company-related files on accounting, finances, tax, projects, and clients. While there is no evidence to suggest that customer data has been exposed, the threat of data publication looms as the cybercriminals threaten to make the data public soon.

It appears that Akira’s modus operandi involves categorizing victims into groups based on whether they paid the ransom, with those who didn’t pay having their data published and those who did facing uncertain dates for data publication. This seems to suggest that negotiations may have taken place, but have possibly stalled, prompting Akira to use the threat of data publication as leverage to push the talks forward.

In response to the incident, Lush, the affected company, communicated that it is working with outside forensic experts to investigate the issue, indicating that the situation bears the hallmarks of a ransomware attack. The company also stated that it has taken immediate steps to secure and screen all systems, underscoring its commitment to containing the incident and minimizing its impact on operations.

The incident first came to light in a post made on the unofficial Lush Reddit community, where a user claimed that staff members were instructed to send their laptops to head office for “cleaning”, a detail that has been verified to be true. This aligns with Akira’s known practice of engaging in extortion without an encryption component, which could explain the absence of visible external disruption to Lush’s operations.

Akira’s emergence in early 2023 has been marked by an increasing number of victims, with an apparent preference for targeting vulnerable Cisco VPN products and remote access tools without multifactor authentication deployed. The group primarily targets organizations in the UK, Australia, and North America, and is known for demanding exorbitant ransom payments in the nine-figure range.

Experts have pointed out the group’s relationship with Conti, which has led to its classification as one of the spin-off gangs following the downfall of Conti in 2022. Notably, Akira is believed to be responsible for the recent attack on Finnish IT service provider Tietoevry, affecting online services at Swedish government departments and universities.

Tietoevry has stated that the attack was limited to one of its Swedish data centers, and while the incident has been contained, the company remains uncertain about the timeline for full recovery. This underscores the far-reaching impact of ransomware attacks orchestrated by groups such as Akira, which continue to pose a significant threat to organizations and institutions worldwide.

Source link