The Akira ransomware gang has claimed duty for a cyber assault on the programs of UK-headquartered cosmetics producer and retailer Lush, which was first disclosed earlier this month.
Lush confirmed it was investigating a dwell cyber safety incident on 11 January 2024, saying it was enterprise a complete investigation with exterior help, and had already taken steps to display and safe its programs.
Lush’s web site has remained accessible all through, as did its bricks and mortar shops, suggesting both the impression of the cyber assault has been fairly restricted, or that the organisation has deployed efficient mitigation measures.
Based on the RansomLock open supply ransomware-tracking challenge, which screens blogs, leak websites and different sources of data, the gang posted particulars of its intrusion earlier immediately (Friday 26 January).
It acknowledged that it had acquired 110GB of information from Lush’s programs, allegedly together with private paperwork, passport knowledge, accounting and monetary info, ongoing tasks, and shopper knowledge. It has not been doable to confirm the legitimacy of this declare, all claims made by cyber felony gangs must be handled with excessive scepticism. Nonetheless, Laptop Weekly understands that buyer bank card knowledge has not been impacted.
A Lush spokesperson advised Laptop Weekly: “We just lately skilled a ransomware incident involving momentary, unauthorised entry to a part of our UK IT system. We took quick steps to reply to the matter and, following a brief interval of restricted disruption, we are actually working largely as regular. We additionally launched a complete investigation with exterior safety specialists to know what knowledge could have been affected, which stays ongoing.
“Now we have knowledgeable the related authorities about this incident, together with the ICO and police. We all know the group answerable for this incident have made claims concerning knowledge they’ve taken referring to Lush. Alongside our specialist companions we’re working onerous to validate these claims.”
Chester Wisniewski, director and international discipline chief know-how officer at Sophos, mentioned: “It’s unclear if this was a ransomware assault or easy extortion as Sophos Incident Response Providers has noticed this crew to interact in both or each actions with their victims. If it was extortion with out an encryption element, this may very well be why there was no seen exterior disruption to Lush’s operations.
“Akira is creating right into a power to be reckoned with,” he added. “We … have seen an rising variety of victims method our incident response service. They appear to favour attacking weak Cisco VPN merchandise and distant entry instruments with out MFA deployed. Whereas we don’t know the reason for Lush’s alleged breach, this can be a nice reminder of the significance of expedient patching of all external-facing community elements and the requirement for multi-factor authentication for all distant entry applied sciences.”
Named after the cult 1988 anime film depicting biker gangs in a dystopian future Tokyo, Akira is assumed to have begun operations round March of 2023, when incident responders first started to notice connections between some comparable cyber assaults through which an identical notes had been dropped, with recordsdata encrypted with the .akira extension. A earlier ransomware going by the identical identify is considered unrelated.
Going all-in on the cyberpunk aesthetic, the gang drew quick consideration for its retro black and inexperienced leak web site, additionally notable for asking guests and victims to enter instructions to entry stolen knowledge, learn its newest information, or contact it.
By the top of 2023, the crew was firmly established as a “formidable” risk, significantly to SMEs, and had racked up a whole lot of alleged victims.
It primarily targets organisations in Australia, Europe and North America, working within the authorities, manufacturing, know-how, schooling, consulting, pharmaceutical and telecoms sectors. Per Wisniewski’s observations above, the gang seems to be turning into a very eager proponent of the rising tactic of exfiltrating knowledge with out encrypting its victims’ programs with a ransomware locker.
This text was up to date at 16:50 on Friday 26 January 2024 so as to add a press release from Lush and additional make clear the character of the info believed to be impacted.