Ransomware Attack by Cicada3301 Exposes 90GB of UFCW Local 135 Data

Incident Date:

August 22, 2024

World map

Overview

Title

Ransomware Attack by Cicada3301 Exposes 90GB of UFCW Local 135 Data

Victim

UFCW Local 135

Attacker

Cicada 3301

Location

San Diego, USA

California, USA

First Reported

August 22, 2024

Ransomware Attack on UFCW Local 135 by Cicada3301

UFCW Local 135, a labor union based in San Diego, California, has recently fallen victim to a ransomware attack by the notorious group Cicada3301. The attackers claim to have exfiltrated and published 90 GB of the union's data on August 22, 2024. This incident underscores the persistent threat posed by ransomware groups and the significant impact such breaches can have on organizations.

About UFCW Local 135

UFCW Local 135 represents workers across various industries, including grocery, retail, pharmacy, medical, dental, and cannabis. The union is part of the United Food and Commercial Workers International Union, which has over 1.3 million members across the United States and Canada. UFCW Local 135 is dedicated to improving the lives of working families and advocating for justice in the workplace. The union's leadership team includes President Todd Walters, Secretary-Treasurer Grant Tom, and Recorder/Political & Organizing Director Maribel Mckinze.

With a workforce size ranging between 11 to 50 employees, UFCW Local 135 focuses on negotiating better wages, benefits, and working conditions for its members. The union's recent successful organization of Better Buzz Coffee workers in San Diego highlights its commitment to addressing concerns regarding wages, benefits, and workplace safety.

Attack Overview

On August 22, 2024, the ransomware group Cicada3301 claimed responsibility for a cyberattack on UFCW Local 135. The group announced on their dark web leak site that they had exfiltrated 90 GB of sensitive data from the union. This breach has raised significant concerns about the security of the union's data and the potential long-term repercussions for its members.

About Cicada3301

Cicada3301 is a relatively new threat actor group that emerged in June 2024. Unlike traditional ransomware groups that focus on encrypting data and demanding ransom for decryption, Cicada3301 operates as a data broker. The group specializes in stealing sensitive data from targeted organizations and selling it on dark web marketplaces. This approach signifies a shift from conventional ransomware tactics to more sustained and long-term damage strategies.

Since its emergence, Cicada3301 has published data from multiple victims on its leak site, showcasing its capability to compromise and exfiltrate sensitive information. The group's primary mode of operation involves leveraging the threat of releasing stolen data to pressure organizations, although their main intent is to profit from selling the data rather than extorting ransom payments directly from the victims.

Cicada 3301

To clarify, the name “Cicada 3301” was originally associated with an online puzzle that gained notoriety between 2012-2014. However, the name has since been appropriated by a separate and unrelated ransomware group, which has been the focus of recent reports, including ours.

Halcyon fully respects the legacy of the original “Cicada 3301” organization and recognizes their distinction from the activities of the ransomware group using the same name. Our reporting on the ransomware group is consistent with fair use, aiming to inform the public about cybersecurity threats.  For those interested in the original “Cicada 3301” and their official stance on this matter, we encourage you to visit their statement here.

We appreciate your understanding as we strive to maintain clarity and accuracy in our reporting.

Potential Vulnerabilities

UFCW Local 135, like many organizations, may have been vulnerable to this attack due to several factors. These could include inadequate cybersecurity measures, lack of employee training on phishing and social engineering attacks, and insufficient monitoring of network activities. The union's reliance on digital systems for managing member data and communications could have provided an entry point for the attackers.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.