Security

Cyber-crime

Akira ransomware gang says it stole passport scans from Lush in 110 GB data heist

Cosmetics brand goes from Jackson Pollocking your bathwater to cleaning up serious a digital mess


Updated The Akira ransomware gang is claiming responsiblity for the "cybersecurity incident" at British bath bomb merchant.

Akira says it has stolen 110 GB of data from the UK-headquartered global cosmetics giant, which has more than 900 stores worldwide, allegedly including "a lot of personal documents" such as passport scans.

Passport scans are routinely collected to verify identities during the course of the hiring process, which suggests Akira's affiliate likely had access to a system containing staff-related data.

Company documents relating to accounting, finances, tax, projects, and clients are also said to be included in the archives grabbed by the cybercriminals, who are threatening to make the data public soon. There is still no evidence to suggest customer data was exposed.

Akira's retro-vibe website separates victims into different sections: One for companies who didn't pay the ransom and thus had their data published, and another for those whose data is to be published on an undisclosed date.

A likely conclusion to draw, if the incident does indeed involve ransomware as the criminals claim, is that there may have been negotiations which have stalled, with Akira using the threat of data publication as a means to hurry along the talks.

The Register approached Lush for comment. Its representatives acknowledged the request but did not provide a statement in time for publication.

Lush last communicated about the situation on January 11, saying it was responding to an "incident" and working with outside forensic experts to investigate the issue – often phrasing used in a ransomware attack.

"The investigation is at an early stage but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations," it said. "We take cybersecurity exceptionally seriously and have informed relevant authorities."

The statement came a day after a post was made to the unofficial Lush Reddit community. Written by a user who seemingly had inside knowledge of the incident, the post claimed members of staff were instructed to send their laptops to head office for "cleaning" – an assertion that El Reg understands to be true.

Akira is better known for its extortion-only MO, which it adopted more recently in October 2023.

A recent report from researchers at Sophos revealed that they only responded to a single case that actually led to the deployment of a ransomware payload, and that was back in August 2023. That said, this intel is limited only to Sophos's engagements – other incident response companies may have a different story to tell.

Chester Wisniewski, director, global field CTO at Sophos, said today: "It is unclear if this was a ransomware attack or simple extortion as Sophos Incident Response Services has observed this crew to engage in either or both activities with their victims. If it was extortion without an encryption component this could be why there has been no visible external disruption to Lush's operations."

He added: "Akira is developing into a force to be reckoned with. We first observed them in early 2023 and have seen an increasing number of victims approach our incident response service. They seem to favor attacking vulnerable Cisco VPN products and remote access tools without MFA deployed. While we don't know the cause of Lush's alleged breach this is a great reminder of the importance of expedient patching of all external facing network components and the requirement for multifactor authentication for all remote access technologies."

The group is primarily known for targeting organizations in the UK, Australia, and North America, and also its indiscriminate targeting of industries – anyone is fair game for them.

According to SentinelOne's insights, Akira also demands "outrageous ransom payments" that can regularly reach US dollar sums in the nine-figure range.

Trend Micro's analysis found that the group is run by "highly experienced and skilled operators" and is thought to be one of the many spin-off gangs following the crumbling of Conti in 2022.

Blockchain data and the source code of Akira's ransomware payload both pointed to a relationship with Conti, itself a descendant of Ryuk, both of which were considered the most menacing ransomware operations of their times.

Akira is also believed to be behind the recent attack on Finnish IT service provider Tietoevry, which has affected a number of online services at Swedish government departments and some of the country's universities.

According to a press release, the attack was limited to only to one of Tietoevry's Swedish datacenters, and the incident is contained, but the company isn't sure how long it will take to fully recover. ®

Updated at 10.47 UTC on January 29, 2024, to add:

A spokesperson for Lush sent us a statement:

"We recently experienced a ransomware incident involving temporary, unauthorized access to part of our UK IT system. We took immediate steps to respond to the matter and, following a short period of limited disruption, we are now operating largely as normal.

"We also launched a comprehensive investigation with external security specialists to understand what data may have been affected, which remains ongoing. We have informed the relevant authorities about this incident, including the ICO and police.

"We know the group responsible for this incident have made claims regarding data they have taken relating to Lush. Alongside our specialist partners we are working hard to validate these claims."

Send us news
35 Comments

Ransomware gang <em>did</em> steal residents' confidential data, UK city council admits

INC Ransom emerges as a growing threat as some ex-LockBit/ALPHV affiliates get new gigs

Change Healthcare faces second ransomware dilemma weeks after ALPHV attack

Theories abound over who's truly responsible

Pandabuy confirms crooks nabbed data on 1.3M punters

Nothing says 'sorry' like 10 percent off shipping for a month

Street newspaper appears to have Big Issue with Qilin ransomware gang

The days of cybercriminals having something of a moral compass are over

INC Ransom claims to be behind 'cyber incident' at UK city council

This follows attack on NHS services in Scotland last week

UK businesses shockingly unaware of how to handle security threats

Many decide to make no changes after detecting a breach

Puppies, kittens, data at risk after 'cyber incident' at veterinary giant

IT systems pulled offline for chance to paws and reflect

Nearly 3M people hit in Harvard Pilgrim healthcare data theft

Also, TheMoon botnet back for EoL SOHO routers, Sellafield to be prosecuted for 'infosec failures', plus critical vulns

INC Ransom claims responsibility for attack on NHS Scotland

Sensitive documents dumped on leak site amid claims of 3 TB of data stolen in total

AT&amp;T admits massive 70M+ mid-March customer data dump is real though old

Still claims the personal info wasn't stolen from its systems

Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Plus: Another local government hobbled by ransomware; Huge rise in infostealing malware; and critical vulns

Global taxi software vendor exposes details of nearly 300K across UK and Ireland

High-profile individuals including MPs said to be caught up in leak