Exclusive: Another case of ransomware data duplication as second group claims Myelec cyber attack

Late last month, the Lynx ransomware gang listed Myelec on its dark web leak site, claiming to have stolen data and posting screenshots as samples.

Based on the screenshots, data at risk includes names, email addresses, and confidential business information, but it could include more personal details.

Outside of this, Lynx provided very little detail of the nature of the incident.

At the time, Cyber Daily reached out to Myelec, which confirmed the company was aware of the incident but declined further comment.

Now, just over two weeks later, the Meow Leaks ransomware gang has also claimed to have data belonging to Myelec and has listed it for sale.

“We are pleased to offer an exclusive opportunity to access over 110 GB of confidential data from Myelec Electrical, one of the leading electrical wholesalers in Western Australia,” said the group.

Meow Leaks also posted sample data, which contains contracts, invoices, sales targets and reports, company bank documents, and other confidential business data.

Within these are names, phone numbers, and email addresses of staff, as well as banking information.

VIEW ALL

Additionally, Meow Leaks also posted a Windows Explorer screenshot containing a number of files.

According to the threat group, the data it has includes employee data, client information, scanned payment documents, commercial proposals and enterprise audit results, internal financial documents, partnership agreements, certifications, data backups, and much more confidential information.

“These records provide valuable insights into Myelec Electrical’s operations, partnerships, and business strategies, making them particularly useful for industry professionals, competitors, and analysts,” it said.

The data has been listed for $20,000 for a single purchase or $10,000 for a non-exclusive purchase.

While this initially appears to be a new incident, researchers have highlighted previous cases where threat actors have duplicated the data stolen from other threat groups and listed it themselves.

Speaking with Cyber Daily, Myelec echoed this idea, with a company spokesperson confirming that this is not a new incident but duplicated data from the Lynx incident.

A similar incident recently highlights the ability of these cyber criminals to lie about what data they have and republish data stolen by other groups.

The issue first came to light when Design Intoto, an Australian retail design company, was listed for the second time this year by the LockBit 3.0 ransomware gang, just three months after it had been listed by RansomHub in April.

Speaking with Cyber Daily, Design Intoto said that the new listing seems to be based on the same incident that was previously claimed by RansomHub in April.

“Following a cyber incident in April this year, Design Intoto has become aware that a third party has named Design Intoto online alongside claims they have some of our data.

“We are investigating these claims as a priority and have found no evidence to suggest this is a new incident,” said a company spokesperson.

“Based on the current cyber landscape, we understand this new mention is likely an attempt by a separate group to recycle the data involved in the cyber incident reported in April. We are advised that ‘data recycling’ events from prior cyber incidents are becoming increasingly common among certain cyber groups.

“We have a range of cyber security measures and monitoring in place to ensure we are aware of any further developments, including any data publication that may occur. If we detect that additional information is published to that previously assessed, we will take all appropriate action and, if necessary, contact affected parties as required to provide support and guidance.

“We take cyber security and the protection of information seriously and are committed to keeping our stakeholders updated as required as we respond to this development.”

Additional investigations by Cyber Daily noted that LockBit listed a number of companies that were listed by RansomHub in April, while researchers from Ransomfeed.it also suggested that the new instances are duplicates.

“Since Operation Cronos, lockbit3 has close tied with many groups (including RansomHub, Play, ...); on its communication channels, it continues to publish samples and materials belonging to its affiliates,” it said.

“Just among the latest ones, which appeared on the platform under the name lockbit3, we find a bunch from #lockbit2 (2021 and 2022),” Ransomfeed.it said, adding that it also noted Design Intoto as well as GB Ricambi, JuteBag and the Robeson County Sheriff’s Office were listed again.

Cyber Daily confirmed that these listings were all RansomHub listings from April this year.

“There is no evidence that the victims were hit again by another group, so in order not to have inflated and untrue numbers, we will treat these as duplicates of the previous claim.

“We are checking for the best way to treat and classify, these kinds of situations, so that it is clear (until proven otherwise) that we’re talking of the same claim published by the original threat actor,” Ransomfeed.it said.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.