The Akira ransomware gang has claimed responsibility for a cyber attack on the systems of UK-headquartered cosmetics manufacturer and retailer Lush, which was first disclosed earlier this month.
Lush confirmed it was investigating a live cyber security incident on 11 January 2024, saying it was undertaking a comprehensive investigation with external assistance, and had already taken steps to screen and secure its systems.
Lush’s website has remained accessible throughout, as did its bricks and mortar stores, suggesting either the impact of the cyber attack has been quite limited, or that the organisation has deployed effective mitigation measures.
According to the RansomLock open source ransomware-tracking project, which monitors blogs, leak sites and other sources of information, the gang posted details of its intrusion earlier today (Friday 26 January).
It stated that it had acquired 110GB of data from Lush’s systems, allegedly including personal documents, passport data, accounting and financial information, ongoing projects, and client data. It has not been possible to verify the legitimacy of this claim. Computer Weekly contacted Lush, but had not heard back at the time of publication.
Chester Wisniewski, director and global field chief technology officer at Sophos, said: “It is unclear if this was a ransomware attack or simple extortion as Sophos Incident Response Services has observed this crew to engage in either or both activities with their victims. If it was extortion without an encryption component, this could be why there has been no visible external disruption to Lush’s operations.
“Akira is developing into a force to be reckoned with,” he added. “We … have seen an increasing number of victims approach our incident response service. They seem to favour attacking vulnerable Cisco VPN products and remote access tools without MFA deployed. While we don’t know the cause of Lush’s alleged breach, this is a great reminder of the importance of expedient patching of all external-facing network components and the requirement for multi-factor authentication for all remote access technologies.”
Named after the cult 1988 anime movie depicting biker gangs in a dystopian future Tokyo, Akira is thought to have begun operations around March of 2023, when incident responders first began to note connections between some similar cyber attacks in which identical notes were dropped, with files encrypted with the .akira extension. A previous ransomware going by the same name is thought to be unrelated.
Going all-in on the cyberpunk aesthetic, the gang drew immediate attention for its retro black and green leak site, also notable for asking visitors and victims to enter commands to access stolen data, read its latest news, or contact it.
By the end of 2023, the crew was firmly established as a “formidable” threat, particularly to SMEs, and had racked up hundreds of alleged victims.
It primarily targets organisations in Australia, Europe and North America, operating in the government, manufacturing, technology, education, consulting, pharmaceutical and telecoms sectors. Per Wisniewski’s observations above, the gang appears to be becoming a particularly keen proponent of the emerging tactic of exfiltrating data without encrypting its victims’ systems with a ransomware locker.