Cyber Incident Victim: Natures Organics
Date:
Jan 2025
Location:
Australia
Summary
Natures Organics experienced a ransomware attack by the Medusa group, which exfiltrated approximately 143 gigabytes of sensitive data including employee passport and driver’s license scans, bank transaction histories, internal communications, and payroll information. The attackers demanded $150,000 to delete the data or prevent its publication, with an option to extend the deadline for $10,000. The Australian manufacturer confirmed the breach, notified staff and authorities, and stated no client data was compromised. Medusa employs ransomware-as-a-service tactics, leveraging legitimate tools to evade detection, disable security defenses like Microsoft Defender, and maintain persistence within networks. The group has previously targeted other Australian entities using similar methods.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 30, 2025, Australian manufacturer Natures Organics confirmed it had fallen victim to a Medusa ransomware attack after the threat actor listed the company on its darknet leak site. The attackers claimed exfiltration of 142.85 gigabytes of sensitive data, equivalent to over 47,000 lines of file listings, including employee passport and driver’s license scans, bank account transaction histories, confidentiality agreements, internal communications, and payroll records. Medusa issued an eight-day deadline for Natures Organics to pay a $150,000 ransom to prevent public data release or secure deletion, with options to extend the deadline for $10,000 or pay the same amount for data deletion. The company acknowledged first detecting the incident on January 30 and promptly notified affected staff and government authorities while confirming retail clients remained unaffected. A spokesperson stated Natures Organics had "taken the appropriate action" following the breach but did not disclose specific containment or remediation measures.
Medusa, characterized by cybersecurity experts as a ransomware-as-a-service (RaaS) operation, employed living-off-the-land techniques using legitimate software tools to blend malicious activity with normal network traffic, complicating detection. The group maintained persistence post-compromise by leveraging remote management utilities to execute payloads, disabling defenses like Microsoft Defender through vulnerable drivers, and moving laterally via registry key modifications and scheduled task creation. This incident followed Medusa’s September 2024 attack on Australian catering firm Compass Group and preceded a January 31 listing of ARDEX Australia on their leak site. Natures Organics, producer of brands including Earth Choice and My Soda with retail partnerships at Coles and Chemist Warehouse, emphasized its 140+ Australian workforce and international NGO support programs as unaffected third parties. The breach exposed highly sensitive personnel documents but did not disrupt customer operations or charitable initiatives according to corporate statements.