Medusa Ransomware Group Hits North Coast Petroleum, Exposes Sensitive Data

Incident Date:

June 27, 2024

World map



Medusa Ransomware Group Hits North Coast Petroleum, Exposes Sensitive Data


North Coast Petroleum




Lismore, Australia

, Australia

First Reported

June 27, 2024

Medusa Ransomware Group Targets North Coast Petroleum

Overview of North Coast Petroleum

North Coast Petroleum (NCP) is a comprehensive fuel and lubricant distribution company based in Lismore, Australia. The company specializes in providing a wide range of petroleum products and services to various sectors, including agriculture, transport, industrial, and retail. NCP's operations encompass the supply of bulk fuels, lubricants, and other related products, ensuring that their clients have access to high-quality energy solutions tailored to their specific needs.

One of the primary services offered by NCP is the distribution of bulk fuels, including diesel, unleaded petrol, and other fuel types. Their logistics network is designed to ensure timely and efficient delivery, minimizing downtime and ensuring that their clients' operations run smoothly. NCP also supplies a variety of lubricants essential for the maintenance and efficient operation of machinery and vehicles. Additionally, NCP operates a network of service stations, providing convenient refueling options for motorists.

NCP stands out for its strong commitment to the local community, particularly in times of crisis. In 2022, the company played a vital role in supporting the Lismore community during devastating floods, providing fuel, care parcels, and essential supplies. This community-focused approach earned NCP the 2023 Marg Taylor Award for Community Spirit at the inaugural Australian Fuel & Convenience Awards.

Details of the Ransomware Attack

On June 24, 2024, North Coast Petroleum fell victim to a ransomware attack by the Medusa ransomware group. Medusa announced the breach on its dark web leak site, claiming to have stolen 71.5 gigabytes of data. The group set a countdown for the data's public release, scheduled for just over eight days later, and demanded a ransom of US$150,000. They also offered the stolen data for sale at the same price.

To substantiate their claims, Medusa posted numerous documents, including invoices, dangerous goods manifests, and personal information such as a passport, driver’s license, and credit card scans. Employee information forms with names, addresses, and phone numbers were also exposed. Additionally, a document titled "creditor payments" revealed the BSB and bank account details of several North Coast Petroleum customers, including notable companies like Schweppes Australia, Soda Stream, Repco, and Frucor Beverages.

About the Medusa Ransomware Group

Medusa is a ransomware group that emerged in late 2022 and gained notoriety throughout 2023 and into 2024. Operating as a Ransomware-as-a-Service (RaaS) platform, the group allows affiliates to use its ransomware to launch attacks. Medusa is distinct from other groups like MedusaLocker and has been involved in various high-profile attacks targeting multiple sectors globally.

Medusa's ransomware is designed to kill numerous applications and services to prevent detection and mitigation. It also disables shadow copies to thwart recovery efforts. The group's ransomware encrypts critical data and demands substantial ransoms for decryption keys, with recent demands ranging from hundreds of thousands to millions of dollars. Victims of Medusa's attacks have ranged from small organizations to large entities, and the group often releases stolen data publicly if ransoms are not paid.

Potential Vulnerabilities and Penetration Methods

While the specific method of penetration used by Medusa in the North Coast Petroleum attack has not been disclosed, common vulnerabilities exploited by ransomware groups include weak or compromised passwords, unpatched software, and phishing attacks. Given NCP's extensive operations and reliance on digital systems for logistics and customer management, any lapses in cybersecurity measures could have provided an entry point for the attackers.

Organizations in the energy, utilities, and waste sector, like NCP, are particularly attractive targets for ransomware groups due to the critical nature of their services. Disruptions in fuel and lubricant supply chains can have far-reaching consequences, increasing the likelihood that victims may pay the ransom to restore operations quickly.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.