11 December 2023

On December 6, 2023, the operators of LockBit ransomware claimed to have compromised Aldo, a shoe retailer, on their ransomware blog. The group has given Aldo until December 25, 2023, to pay a ransom, otherwise stolen data will be published.

On December 6, 2023, the operators of LockBit ransomware claimed to have compromised Aldo, a shoe retailer, on their ransomware blog. The group has given Aldo until December 25, 2023, to pay a ransom, otherwise stolen data will be published.

Aldo later confirmed that the attack impacted the systems of an undisclosed franchise partner. The spokesperson reassured that “no Aldo Group owned or operated systems were affected by this incident” and noted that the partner “confirmed that the affected data is limited to information pertaining to their operations in a specific overseas territory.” They further stated that no customer financial or payment card information has been impacted. KELA reviewed sample data shared by LockBit and can confirm, based on the sample documents, that the affected entity appears to be an Israel-based Aldo franchise. 

Figure 1: Aldo listed as victim on LockBit’s blog

Organizations not only need to be vigilant of attacks on their own systems, but also attacks on their third parties. These third parties can hold sensitive company information and even access to company systems. Over the last month, several attacks have been claimed by ransomware and extortion actors that originated from attacks on a company’s third parties. 

For instance, in November 2023, the Alphv ransomware group listed Dragos on their ransomware blog. They noted that the attack was the result of a third-party breach and gave Dragos 24 hours to contact them or they threatened “we will begin the publication of both the facts & the data of executive members.” A few days after the post, Dragos stated that they have not been contacted by the threat actors and that they have not found any evidence that a Dragos system was compromised. Alphv has since removed the post from their blog.

Furthermore, the Snatch extortion team posted an update on their Telegram channel regarding a recent attack. They claimed that initial access to the company and data was obtained after an attack on a third party financial services company. They warned that “the entire list of clients whose data was stored” by the third-party “is under attack now.”

Figure 2: Dragos listed on Alphv’s blog

As part of a comprehensive cybersecurity strategy, it is important that organizations look to mitigate third party risk. Organizations should ensure that they conduct a thorough risk assessment before onboarding a third party. Furthermore, organizations should continuously monitor potential risks associated with their third parties, including their exposure in cybercrime sources.

Get notified about threats targeting your organization as well as your third-party providers in real-time. Try KELA’s Cyber Threat Intelligence Platform for Free.