Akira ransomware gang claims Lush cyber attack

The Akira ransomware gang claims to have stolen over 100GB of data from cosmetics manufacturer and retailer Lush

The Akira ransomware gang has claimed responsibility for a cyber attack on the systems of UK-headquartered cosmetics manufacturer and retailer Lush, which was first disclosed earlier this month.

Lush confirmed it was investigating a live cyber security incident on 11 January 2024, saying it was undertaking a comprehensive investigation with external assistance, and had already taken steps to screen and secure its systems.

Lush’s website has remained accessible throughout, as did its bricks and mortar stores, suggesting either the impact of the cyber attack has been quite limited, or that the organisation has deployed effective mitigation measures.

According to the RansomLock open source ransomware-tracking project, which monitors blogs, leak sites and other sources of information, the gang posted details of its intrusion earlier today (Friday 26 January).

It stated that it had acquired 110GB of data from Lush’s systems, allegedly including personal documents, passport data, accounting and financial information, ongoing projects, and client data. It has not been possible to verify the legitimacy of this claim, all claims made by cyber criminal gangs should be treated with extreme scepticism. However, Computer Weekly understands that customer credit card data has not been impacted.

A Lush spokesperson told Computer Weekly: “We recently experienced a ransomware incident involving temporary, unauthorised access to part of our UK IT system. We took immediate steps to respond to the matter and, following a short period of limited disruption, we are now operating largely as normal. We also launched a comprehensive investigation with external security specialists to understand what data may have been affected, which remains ongoing. 

“We have informed the relevant authorities about this incident, including the ICO and police. We know the group responsible for this incident have made claims regarding data they have taken relating to Lush. Alongside our specialist partners we are working hard to validate these claims.”

Chester Wisniewski, director and global field chief technology officer at Sophos, said: “It is unclear if this was a ransomware attack or simple extortion as Sophos Incident Response Services has observed this crew to engage in either or both activities with their victims. If it was extortion without an encryption component, this could be why there has been no visible external disruption to Lush’s operations.

“Akira is developing into a force to be reckoned with,” he added. “We … have seen an increasing number of victims approach our incident response service. They seem to favour attacking vulnerable Cisco VPN products and remote access tools without MFA deployed. While we don’t know the cause of Lush’s alleged breach, this is a great reminder of the importance of expedient patching of all external-facing network components and the requirement for multi-factor authentication for all remote access technologies.”

UK cyber attacks in 2024

24 January: Southern Water, which supplies millions of customers in southeast England, has confirmed it has fallen victim to a cyber attack, although its services appear to be running normally.
19 January: Canterbury, Dover and Thanet councils in Kent have all been struck by simultaneous cyber attacks, with indications of a link between all three.

Named after the cult 1988 anime movie depicting biker gangs in a dystopian future Tokyo, Akira is thought to have begun operations around March of 2023, when incident responders first began to note connections between some similar cyber attacks in which identical notes were dropped, with files encrypted with the .akira extension. A previous ransomware going by the same name is thought to be unrelated.

Going all-in on the cyberpunk aesthetic, the gang drew immediate attention for its retro black and green leak site, also notable for asking visitors and victims to enter commands to access stolen data, read its latest news, or contact it.

By the end of 2023, the crew was firmly established as a “formidable” threat, particularly to SMEs, and had racked up hundreds of alleged victims.

It primarily targets organisations in Australia, Europe and North America, operating in the government, manufacturing, technology, education, consulting, pharmaceutical and telecoms sectors. Per Wisniewski’s observations above, the gang appears to be becoming a particularly keen proponent of the emerging tactic of exfiltrating data without encrypting its victims’ systems with a ransomware locker.

This article was updated at 16:50 on Friday 26 January 2024 to add a statement from Lush and further clarify the nature of the data believed to be impacted.

Read more on Data breach incident management and recovery

Data Center
Data Management