American cycling clothing brand hit by ransomware attack

American cycling clothing brand, Primal Wear, has been targeted by a ransomware attack in a breach which appears to include over 10,000 files, totalling more than 17 gigabytes of data. 

The breach, which was publicised by ransomware tracking website RansomLook on January 11, appears to include folders of data relating to the company's financials, employees, sales and more. 

There is no indication so far that customer data is affected. 

Founded in 1992, Primal Wear is a manufacturer of cycling clothing and accessories. Famed for its more outlandish designs – its current range includes a variety of tie-dye options, a full-body American flag, and a tribute to Pink Floyd's album The Dark Side of the Moon. The brand operates primarily in the USA but is well-known around the world. 

The attack, which appears to have taken place in late December, was performed by the fast-growing ransomware group, RansomHub. 

The only indication of which data has been obtained comes courtesy of a screenshot. It shows a list of folders, including three titled Invoices, Employees, and Financials. 

Alongside this is a screenshot from a text document listing a directory of files, including PDFs, images and spreadsheets. A summary beneath this suggests some 10,513 files, totalling over 17 gigabytes of data, have been obtained. 

Beneath these screenshots, there is an IRS filing, a certificate of liability insurance, and most pertinently, a CyberRisk Application form with Travelers Casualty and Surety Company of America, seemingly for insurance against ransomware like this very attack. 

According to a report by s-rminform, RansomHub is a 'Ransomware as a service' group – essentially a cybercrime business model in which developers sell malware to other hackers, who then use it to initiate attacks. These other hackers, known as affiliates, often remain unnamed. 

The group was formed in February 2024, and quickly rose to become one of the most prolific in its sector. In its first 207 days, it is claimed to have taken 227 victims, including US Healthcare payment provider, Change Healthcare; the world's second-largest oil service company, Halliburton; and the Rite Aid drugstore chain. 

Like most ransomware, the group's modus operandi is to steal and encrypt sensitive company data, and then ask for payment to prevent it from being leaked. 

While most attacks include a set fee and a deadline, these details are currently unclear in the case of the Primal Wear attack. Cyclingnews has attempted to contact Primal Wear for details, but as yet has received no response. 

Examples of the group's previous ransom notes include an opening line which simply states: 

"Your company Servers are locked and Data has been taken to our servers. This is serious."

Most go on to include explicit threats to publish data if ransoms aren't paid, such as the following: "If you don't pay the ransom, the data will be published on our TOR darknet sites… The sooner you pay the ransom, the sooner your company will be safe."

Some of them also go on to claim that seeking help from the authorities "will only make the situation worse," and that if companies refuse to pay, the group will "make you [sic] business stop forever."

This isn't the first time a cycling brand has been subject to a data breach of this kind. In late 2023, Shimano suffered a significant breach at the hands of Ransomware group LockBit 3.0, where 4.5 terabytes of data were stolen. According to a report by Escape Collective, the brand refused to pay, and the data was subsequently released, including "payroll spreadsheets with names of thousands of employees, vaccination statuses, and ‘medical surveillance’ information."

Before this, back in 2020, American GPS giant, Garmin, was attacked in similar circumstances, and although the brand's systems soon returned to normal, it was never confirmed if the brand paid the $10 million fee.