Akira ransomware gang says it stole passport scans from Lush in 110 GB data heist

Updated The Akira ransomware gang is claiming responsiblity for the "cybersecurity incident" at British bath bomb merchant.

Akira says it has stolen 110 GB of data from the UK-headquartered global cosmetics giant, which has more than 900 stores worldwide, allegedly including "a lot of personal documents" such as passport scans.

Passport scans are routinely collected to verify identities during the course of the hiring process, which suggests Akira's affiliate likely had access to a system containing staff-related data.

Company documents relating to accounting, finances, tax, projects, and clients are also said to be included in the archives grabbed by the cybercriminals, who are threatening to make the data public soon. There is still no evidence to suggest customer data was exposed.

Akira's retro-vibe website separates victims into different sections: One for companies who didn't pay the ransom and thus had their data published, and another for those whose data is to be published on an undisclosed date.

A likely conclusion to draw, if the incident does indeed involve ransomware as the criminals claim, is that there may have been negotiations which have stalled, with Akira using the threat of data publication as a means to hurry along the talks.

The Register approached Lush for comment. Its representatives acknowledged the request but did not provide a statement in time for publication.

Lush last communicated about the situation on January 11, saying it was responding to an "incident" and working with outside forensic experts to investigate the issue – often phrasing used in a ransomware attack.

"The investigation is at an early stage but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations," it said. "We take cybersecurity exceptionally seriously and have informed relevant authorities."

The statement came a day after a post was made to the unofficial Lush Reddit community. Written by a user who seemingly had inside knowledge of the incident, the post claimed members of staff were instructed to send their laptops to head office for "cleaning" – an assertion that El Reg understands to be true.

Akira is better known for its extortion-only MO, which it adopted more recently in October 2023.

A recent report from researchers at Sophos revealed that they only responded to a single case that actually led to the deployment of a ransomware payload, and that was back in August 2023. That said, this intel is limited only to Sophos's engagements – other incident response companies may have a different story to tell.

Chester Wisniewski, director, global field CTO at Sophos, said today: "It is unclear if this was a ransomware attack or simple extortion as Sophos Incident Response Services has observed this crew to engage in either or both activities with their victims. If it was extortion without an encryption component this could be why there has been no visible external disruption to Lush's operations."

• Trickbot malware scumbag gets five years for infecting hospitals, businesses
• EquiLend drags systems offline after admitting attacker broke in
• Major IT outage at Europe's largest caravan and RV club makes for not-so-happy campers
• Using GoAnywhere MFT for file transfers? Patch now – an exploit's out for a critical bug

He added: "Akira is developing into a force to be reckoned with. We first observed them in early 2023 and have seen an increasing number of victims approach our incident response service. They seem to favor attacking vulnerable Cisco VPN products and remote access tools without MFA deployed. While we don't know the cause of Lush's alleged breach this is a great reminder of the importance of expedient patching of all external facing network components and the requirement for multifactor authentication for all remote access technologies."

The group is primarily known for targeting organizations in the UK, Australia, and North America, and also its indiscriminate targeting of industries – anyone is fair game for them.

According to SentinelOne's insights, Akira also demands "outrageous ransom payments" that can regularly reach US dollar sums in the nine-figure range.

Trend Micro's analysis found that the group is run by "highly experienced and skilled operators" and is thought to be one of the many spin-off gangs following the crumbling of Conti in 2022.

Blockchain data and the source code of Akira's ransomware payload both pointed to a relationship with Conti, itself a descendant of Ryuk, both of which were considered the most menacing ransomware operations of their times.

Akira is also believed to be behind the recent attack on Finnish IT service provider Tietoevry, which has affected a number of online services at Swedish government departments and some of the country's universities.

According to a press release, the attack was limited to only to one of Tietoevry's Swedish datacenters, and the incident is contained, but the company isn't sure how long it will take to fully recover. ®

Updated at 10.47 UTC on January 29, 2024, to add:

A spokesperson for Lush sent us a statement:

"We recently experienced a ransomware incident involving temporary, unauthorized access to part of our UK IT system. We took immediate steps to respond to the matter and, following a short period of limited disruption, we are now operating largely as normal.

"We also launched a comprehensive investigation with external security specialists to understand what data may have been affected, which remains ongoing. We have informed the relevant authorities about this incident, including the ICO and police.

"We know the group responsible for this incident have made claims regarding data they have taken relating to Lush. Alongside our specialist partners we are working hard to validate these claims."