Analyzing the Cybersecurity Breach at All We Wear Group by the Underground Team

Incident Date:

May 4, 2024

World map

Overview

Title

Analyzing the Cybersecurity Breach at All We Wear Group by the Underground Team

Victim

All We Wear Group

Attacker

Underground Team

Location

Sant Feliu de Llobregat, Spain

, Spain

First Reported

May 4, 2024

Analysis of the Underground Team Ransomware Attack on All We Wear Group

Company Profile

Founded in 2006, All We Wear Group (AWWG) is a prominent player in the global fashion industry, housing iconic brands such as Pepe Jeans London, Hackett, and Façonnable. The company operates more than 5,000 points of sale across 54 countries and employs over 4,200 individuals. With a projected revenue of approximately 655 million euros for the fiscal year 2023/24, AWWG stands out due to its diverse brand portfolio and strong market presence.

Details of the Ransomware Attack

The cyberattack on AWWG was executed by the Underground Team, a notorious ransomware group. The attack targeted the company's Spanish website, awwg.com, leading to the exfiltration of 204.9 GB of sensitive data. This data spanned several decades back to 1987 and included financial records, legal documents, and personally identifiable information (PII) of employees and board members.

The compromised data was extensive, featuring passports, IDs, addresses, emails, social security numbers, phone numbers, job offers, payroll data, and non-disclosure agreements among other sensitive information. The full dataset has been published on the dark web, posing significant privacy and security risks to the individuals and entities involved.

Characteristics of Underground Team Ransomware

Underground Team ransomware is known for its sophisticated 64-bit GUI and utilizes a variety of commands to disrupt victim systems. These include deleting backups, modifying registry settings, and halting critical services like MSSQLSERVER. The ransomware leverages API functions to identify system volumes and deploys its ransom note across multiple system folders, while selectively encrypting files and directories.

The primary infection vector for this ransomware is typically through phishing emails containing malicious attachments or links to compromised websites. These emails are crafted to appear legitimate, tricking users into initiating the ransomware's deployment.

Vulnerabilities and Industry Impact

AWWG's significant digital footprint and extensive data repositories made it an attractive target for the Underground Team. The fashion industry, with its global supply chains and diverse customer data, remains particularly vulnerable to such attacks, which can lead to substantial financial and reputational damage.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.