Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Exclusive: LockBit 3.0 appears to be duplicating old listings as Design Intoto named a second time

For the second time this year, threat actors have claimed an attack on Australian retail design company Design Intoto, but they appear to be claiming responsibility for the same incident.

user icon Daniel Croft
Tue, 03 Sep 2024
Exclusive: LockBit 3.0 appears to be duplicating old listings as Design Intoto named a second time
expand image

On 30 August, the company was listed on the dark web leak site of LockBit 3.0, which threatened to publish data on 13 September.

Outside of the listing, the ransomware gang has not said what data was allegedly exfiltrated in the breach nor displayed a ransom cost for the release and/or decryption of the stolen data.

However, speaking with Cyber Daily, Design Intoto has said that the new listing seems to be based on the same incident that was previously claimed by RansomHub in April.

============
============

“Following a cyber incident in April this year, Design Intoto has become aware that a third party has named Design Intoto online alongside claims they have some of our data.

“We are investigating these claims as a priority and have found no evidence to suggest this is a new incident,” said a company spokesperson.

“Based on the current cyber landscape, we understand this new mention is likely an attempt by a separate group to recycle the data involved in the cyber incident reported in April. We are advised that ‘data recycling’ events from prior cyber incidents are becoming increasingly common among certain cyber groups.

“We have a range of cyber security measures and monitoring in place to ensure we are aware of any further developments, including any data publication that may occur. If we detect that additional information is published to that previously assessed, we will take all appropriate action and if necessary, contact affected parties as required to provide support and guidance.

“We take cyber security and the protection of information seriously and are committed to keeping our stakeholders updated as required as we respond to this development.”

Cyber Daily’s own investigation has confirmed that LockBit has claimed attacks on a number of organisations that were previously named by LockBit or other threat actors.

Advisory firm PKF was listed on LockBit’s dark web leak site on 21 April and then again on 30 August. Speaking with Cyber Daily, the company stated that it believes the new claim is based on the same data.

“PKF takes cyber security and the protection of data very seriously. As such, we have investigated these claims, and we have found no evidence to validate them,” the firm said.

“We believe that this information may be based on a historical event which has resurfaced. We will, of course, continue to monitor the situation and, should this situation change, we will take appropriate action and communicate with all stakeholders concerned.”

Researchers from Ransomfeed.it have also suggested that these incidents are duplicates of listings made by its affiliates and not new cyber attacks.

“Since Operation Cronos, lockbit3 has close tied with many groups (including RansomHub, Play, ...); on its communication channels, it continues to publish samples and materials belonging to its affiliates,” it said.

“Just among the latest ones, which appeared on the platform under the name lockbit3, we find a bunch from #lockbit2 (2021 and 2022),” Ransomfeed.it said, adding that it also noted Design Intoto as well as GB Ricambi, JuteBag and the Robeson County Sherriff’s Office were listed again.

Cyber Daily confirmed that these listings were all RansomHub listings from April this year.

“There is no evidence that the victims were hit again by another group, so in order not to have inflated and untrue numbers, we will treat these as duplicates of the previous claim.

“We are checking for the best way to treat and classify, these kinds of situations, so that it is clear (until proven otherwise) that we’re talking of the same claim published by the original threat actor,” Ransomfeed.it said.

Design Intoto is a Sydney-based retail design organisation with major clients such as Coca-Cola, Tefal, KFC, Vodafone and more.

LockBit 3.0's latest claimes come just months after RansomHub, another threat group, claimed to have stolen 700 gigabytes of data from Design Intoto.

On 30 April, RansomHub listed the company on its leak site, threatening to publish the allegedly stolen data in 10 days.

“We have been in your network for a long time and have had time to analyze your business. We have found many interesting documents, the publication of which will destroy your business and reputation,” said RansomHub.

“We have also stolen more than 700 GB of your confidential data and offer to make a deal that will satisfy both parties.

“If you ignore or refuse the deal, we will be forced to release all your data to the public.”

In classic RansomHub fashion, the threat actors also attempted to scare Design Intoto into meeting its terms, saying that its clients would see how the company “neglected their personal information” and would take them to court with a foolproof plan, as well as the notion that the story will gain major media coverage.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.