LockBit Ransomware Group Targets ACDC Express in Major Cyber Attack

On August 13, 2024, ACDC Express, a prominent South African electrical retail and wholesale franchise, fell victim to a ransomware attack orchestrated by the notorious LockBit group. The attack compromised the company's website, disrupting its operations and potentially exposing sensitive data.

About ACDC Express

Established in 2007, ACDC Express has grown to become a significant player in the South African electrical market. The company specializes in a comprehensive range of electrical solutions, catering to both retail customers and businesses. Their offerings include lighting, wiring, circuit breakers, and backup power systems like inverters and generators. ACDC Express operates through independently owned stores and serves a wide audience, from individual consumers to large-scale enterprises.

Headquartered in Bedfordview, Gauteng, ACDC Express employs between 201 and 500 people. The company has multiple locations across South Africa, including major cities like Johannesburg, Cape Town, and Pretoria. Known for its extensive product range and customer-centric services, ACDC Express has established itself as a one-stop shop for all electrical needs.

Attack Overview

The ransomware attack on ACDC Express was executed by the LockBit group, a highly sophisticated ransomware-as-a-service (RaaS) organization. LockBit is known for its "double extortion" tactics, where they exfiltrate sensitive data and threaten to release it publicly if the ransom is not paid. The exact size of the data leak from ACDC Express remains unknown, but the incident highlights the growing threat of ransomware attacks on critical supply chain entities.

About LockBit Ransomware Group

Active since September 2019, LockBit has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. LockBit uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files. The group exploits vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. LockBit also performs checks to avoid executing on systems with languages common to the Commonwealth of Independent States (CIS) region.

Penetration and Vulnerabilities

LockBit likely penetrated ACDC Express's systems by exploiting vulnerabilities in their network infrastructure. The group's ability to spread laterally via group policy or admin shares, combined with their use of sophisticated encryption techniques, makes them a formidable threat. ACDC Express's extensive online presence and reliance on digital operations may have made them an attractive target for the ransomware group.

Sources

• ACDC Express
• SOCRadar - Dark Web Profile: LockBit 3.0 Ransomware
• TXOne Networks - Malware Analysis: LockBit 3.0
• Red Piranha - A Look at LockBit 3.0 Ransomware
• CISA - Ransomware Profile: LockBit 3.0