This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Kadac Australia

Summary

Kadac Australia, a Victoria-based organic and health product supplier, discovered it was the victim of a Medusa ransomware attack on 12 February 2024. The Medusa gang listed Kadac on its leak site the same day, demanding $100,000 in ransom with a 10-day deadline (21 February). After the deadline passed, the gang attempted to sell the data rather than simply publishing it. The $100,000 demand was notably lower than typical Medusa ransoms, which have exceeded US$1 million.

What Happened

The Medusa ransomware gang breached Kadac Australia's systems and exfiltrated corporate data including financial records, email correspondence, certificates, customer details, and marketing materials. Kadac discovered the attack on 12 February 2024, the same day Medusa listed the company on their darknet leak site. The gang published sample data as proof and set a 21 February deadline for paying the $100,000 ransom. When the deadline passed without payment, Medusa unusually attempted to sell the data to interested parties rather than following their normal practice of simply publishing it.

Impact on Individuals

The breach exposed business data including:

  • Financial records
  • Email correspondence
  • Customer details
  • Marketing data
  • Certificates

Customers and business partners should:

  • Be alert for phishing emails using stolen business information
  • Watch for scams targeting health product consumers
  • Monitor for potential misuse of customer details
  • Be cautious of suppliers or partners impersonating Kadac

The relatively low ransom demand ($100,000 compared to Medusa's typical multi-million dollar demands) suggested the attackers assessed the stolen data or company's ability to pay as limited.

Organisational Response

Kadac Australia is a Victoria-based supplier of organic and health products. The company faced a decision on whether to pay the unusually low $100,000 ransom demand. After the 21 February deadline passed, Medusa departed from their typical practice of simply publishing stolen data and instead attempted to sell it on criminal forums, suggesting possible difficulties in finding buyers or unusual characteristics of the stolen data.

Verification Source: View original statement