Lush attacked by Akira Ransomware

Blog by Bournemouth 2600

The Bournemouth Echo reported that on 11 January 2024, international cosmetics firm Lush, located in nearby Poole, was "investigating" an unspecified "cyber security attack".

For those unaware, Lush is a Poole, UK-based cosmetics company founded in 1995, known for its handmade and ethically-sourced beauty products, including bath bombs and skincare items. Committed to environmental sustainability, Lush opposes animal testing, emphasizes ethical sourcing, and minimizes packaging waste.

Lush then announced on their website that they confirmed the Lush UK & Ireland branch was responding to a confirmed cyber incident. The statement by Lush is pretty vague and does not really reveal much to us (or the attackers).

Two weeks later, however, Lush appeared on the Darknet (Tor) data leak site of the Akira ransomware group. The Akira operators state that they have allegedly stolen 110 GB of files belonging to Lush. The stolen data about to be leaked, unless a ransom is paid, includes information related to employee passports, accounting and finance records, tax records, unspecified projects, "client information" and apparently they have "much more," but ransomware gangs often like to exaggerate the impact of their attacks.

Active since March 2023, Akira is a notorious Russian-speaking organized cybercriminal group that launches ransomware attacks. Akira has rapidly impacted numerous victims, employing double extortion tactics. This means that they get into their target's network, deploy file-encrypting ransomware across a company's entire network and steal their data to force them into paying a ransom for the keys to decrypt the locked files and prevent the data from leaking. Akira are known for demanding high ransoms ranging from hundreds of thousands to millions of dollars.

Akira operations have also evolved since they appeared, exhibiting signs the Akira gang is experienced in running continuous ransomware campaigns. There have been multiple versions of the ransomware targeting a broad spectrum of systems, including Windows domains and various Linux or virtual infrastructures.

Notably, Akira's similarities with the sanctioned Conti group are striking, encompassing victim profiles, code structures, negotiation styles, and even financial transactions, suggesting a close link between the two ransomware entities.

Why did Russian Hackers attack a local company?

There are various types of malicious Russian hackers. The financially motivated cybercriminals like the Akira ransomware gang, the state-sponsored hacking groups like FancyBear/APT28 or CozyBear/APT29, and the hacktivist groups like Killnet or NoName057(16).

The type of cybercriminals that attacked Lush are financially motivated and fund themselves from the ransoms they earn. As a Russian-speaking group, Akira are effectively permitted to launch attacks though by the Russian government because they do not get arrested for it. Therefore, they will attack any large company they can to extort them for a ransom payment in cryptocurrency.

The government groups, like Cozy Bear and Fancy Bear, are directly funded as they belong to organisations like the Russian Foreign Intelligence Service (SVR) or Russian Military Intelligence (GRU). These groups are known as advanced persistent threats (APTs) who continuously launch campaigns against their targets to infiltrate the networks and gather valuable intelligence.

The hacktivist groups like Killnet are also different, in that they launch cyberattacks for political motivations and are also permitted (even encouraged) to do it with full knowledge by the Russian government. These types will often use distributed denial of service (DDoS) attacks to overwhelm a target's IT systems, such as websites and applications, to cause outages and disruption.

How the organisations of Bournemouth can protect themselves from Akira

Akira’s main form of initial access has either been via brute-forcing Cisco ASA VPN devices or Citrix Bleed in Citrix ADC Gateway systems. In some cases, Akira operators have been known to leverage EXOTIC LILY’s custom Bumblee Loader malware or will purchase VPN credentials for sale on darknet markets, such as Russian Market, which are fuelled by infostealer malware botnets.

The best way organisations of Bournemouth can defend from Akira initial access vectors are as follows:

  • Patching perimeter networking devices such as VPNs or Gateways
  • Enforcing multi-factor authentication (MFA) and changing passwords in a regular cadence
  • Leveraging email filtering gateways to stop malicious spam (malspam)
  • Leveraging endpoint detection and response (EDR) security software