Cyber Incident Victim: Radley London

On or around August 29, 2023, the luxury handbag manufacturer Radley London became the victim of a cyberattack claimed by the cybercrime gang known as RansomHouse. The group publicly listed the UK-based company on its dark web victim blog, a common tactic used by such entities to apply pressure during negotiations. According to the gang's post, they successfully exfiltrated approximately 600GB of data from Radley London. The post, which was addressed to "Dear Radley and Co," contained a warning, stating, “We are sure that you are not interested in your confidential data to be leaked or sold to a third party. We highly advise you to contact us.” Notably, the public listing did not include a specific ransom demand or a deadline for payment at the time it was observed, which may indicate a breakdown in private communications between the company and the attackers. RansomHouse also claimed to have encrypted the company’s data on August 29, a significant detail as it suggests a potential evolution in the group's methodology from pure data theft to incorporating disruptive encryption techniques.

Radley London, a premium manufacturer of handbags and accessories founded in 1988, reported a turnover of £47.5 million in 2022. In response to the incident, a company spokesperson provided a statement confirming that they had recently identified and contained an IT security incident which caused some disruption to business operations. The company's immediate action was to take the affected part of its systems offline to prevent further damage and to initiate a comprehensive investigation into the event. This investigation was conducted in partnership with external forensic specialists to determine the scope and impact of the breach. The spokesperson emphasized that the company had restored its systems from clean, unaffected backups, a process that allowed them to begin returning the business to normal operational status. Throughout this period, the company's physical stores remained open for customers, and its e-commerce website continued to be available, indicating that mitigation efforts were partially successful in maintaining customer-facing services.

The incident involving Radley London was not an isolated event on the RansomHouse blog, as the group simultaneously listed another victim, the US law firm Hawkins, Delafield and Wood. The gang claimed to have encrypted part of the law firm's systems on September 3, 2023, just a few days after the attack on Radley London. This pattern of listing multiple victims demonstrates RansomHouse's ongoing operational activity and its strategy of publicizing attacks to incentivize payment. The company spokesperson for Radley London outlined the communication strategy following the incident, noting that they had informed their colleagues about the event and would continue to liaise closely with their business partners and the relevant authorities as the investigations progressed. This approach is consistent with standard incident response protocols that emphasize transparency with stakeholders and cooperation with law enforcement and regulatory bodies.

RansomHouse is a cybercrime group that has been active since at least 2021. Its typical modus operandi involves stealing sensitive data from victim organizations and then extorting them by demanding payment to prevent the public release or sale of that data to third parties. The group has historically been characterized by cybersecurity researchers as possessing a more professional and focused demeanor compared to other cybercriminal gangs. Some researchers have previously suggested that the group may be composed of disgruntled bug bounty hunters, individuals who normally operate within a legitimate framework to find and report software vulnerabilities for rewards. This theory is supported by analyses, such as a blog post from security company MalwareBytes, which described RansomHouse as being “seen as polite and focused and not easily swayed away into irrelevant conversations.” The group has also publicly claimed to be “pro-freedom” and “very liberal,” asserting they want nothing to do with radical hacktivists or state-sponsored espionage groups.

However, despite this self-proclaimed professional ethos, RansomHouse has been responsible for several high-impact and devastating attacks. A prominent example is the attack on the Hospital Clinic de Barcelona, which had severe consequences for healthcare delivery. The attack was so disruptive that it reduced hospital staff to using pen and paper for record-keeping, crippling operational efficiency. The incident resulted in the reported cancellation of over 150 surgeries, 3,000 patient appointments, and 400 pieces of medical analysis. The scale and severity of this attack prompted investigations by major international law enforcement agencies, including Europol and Interpol. In another significant incident the previous year, RansomHouse carried out an attack against the Government of Vanuatu, a chain of islands in the south-western Pacific Ocean. That attack persisted for over a month and led to the exfiltration and loss of a massive 3.2TB of data, underscoring the group's capability to sustain prolonged operations against large targets.

The claim by RansomHouse that it encrypted data belonging to Radley London is a notable development in the group's tactics. While their primary business model has been data theft and extortion, the introduction of encryption suggests a potential crossover into the realm of ransomware, where attackers not only steal data but also lock it away from the victim, demanding a payment for its decryption. This dual-threat approach maximizes pressure on victims, as it combines the fear of public data exposure with the immediate operational paralysis caused by encrypted systems. For Radley London, the ability to restore systems from clean backups was a critical factor in mitigating the encryption aspect of the attack, allowing the company to regain access to its systems without needing to engage with the attackers for decryption keys. The company's swift containment response, taking affected systems offline, was instrumental in preventing further spread of the attack and limiting the overall disruption to business operations. The ongoing investigation with forensic experts aims to fully understand the attack vector, the exact nature of the data accessed, and to reinforce security measures to prevent future incidents.