Ransomware Attack on Triton Sourcing & Distribution by SafePay

The ransomware group SafePay has recently targeted Triton Sourcing & Distribution, a New Zealand-based company specializing in the manufacturing and distribution of clothing. This attack highlights the vulnerabilities faced by companies in the manufacturing sector, particularly those involved in high-volume consumer goods and third-party logistics.

Company Overview

Triton Sourcing & Distribution, established over 40 years ago, is a family-owned business operating in Silverdale, Auckland. The company has transitioned into its second generation of management, maintaining a trusted reputation while introducing fresh ideas. Triton is primarily engaged in the manufacturing and distribution of men's and women's clothing, catering to retail partners with a focus on fast-moving consumer goods. Their role as a third-party logistics provider is crucial for ensuring timely deliveries, which is essential for customer satisfaction and operational efficiency.

Attack Overview

SafePay has claimed responsibility for the ransomware attack on Triton, listing the company on its darknet leak site. The group alleges to have stolen 10 gigabytes of data, primarily consisting of .XML files from Triton's Exo order system. The attack, confirmed to have occurred in October, disrupted operations for a few days. However, Triton managed to recover quickly and is currently addressing delayed orders. The compromised data mainly pertains to order processes, and the company believes there is no significant risk to third parties or staff.

SafePay Ransomware Group

SafePay is known for employing ransomware-as-a-service tactics, utilizing LockBit source code. The group distinguishes itself through a double-extortion strategy, encrypting files and threatening to release stolen data if ransom demands are unmet. SafePay typically gains access to victim networks through valid credentials, often acquired via VPN gateways, indicating a stealthy approach to infiltration. Their presence on the dark web is maintained through a Tor-based leak site, where they list past victims and provide details about stolen data.

Vulnerabilities and Impact

Triton's involvement in high-volume consumer goods and third-party logistics makes it a lucrative target for ransomware groups like SafePay. The company's reliance on digital systems for order processing and logistics management presents vulnerabilities that threat actors can exploit. Despite the attack, Triton's quick recovery and the nature of the compromised data suggest a resilient operational framework capable of withstanding such cyber threats.

Sources

• Triton Sourcing & Distribution
• Cyber Daily
• Huntress Blog
• Security Week
• Katalyst Business