Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Ausfec Limited, which trades as The Distributors, was allegedly hacked by the J ransomware gang earlier this year.
A ransomware newcomer has listed a company with links to confectionery and snack food wholesaler The Distributors as a victim on its darknet leak site.
The J ransomware group seems to have only recently been discovered by threat analysts, with listings of its activity only shared this month, May 2025.
However, J’s initial burst of activity took place in February and March of 2025, and the operation appears to have gone quiet since then.
J listed its first victim on 17 February, and a further eight victims leading up to 13 March. On 22 February, it listed an Australian victim – ausfec1.com.au. J appears to only list victims by their URLs, and in this case, the URL does not appear to exist.
However, a company called Ausfec Limited is listed on the Australian ABN Lookup site, which trades as The Distributors, a wholesaler with offices across Australia that focuses on supplying snacks, confectionery, and a range of other products to corner stores, petrol stations, and newsagents.
The brands it distributes include Red Bull, Smiths, Whittakers, and Bayer, while its customers include FoodWorks, IGA, Caltex, and 7-Eleven.
While no data for any victim has yet been published – at the time, the hackers claimed to have stolen 204 gigabytes of data – J has included a file listing of the data it allegedly exfiltrated. This data includes multiple references not only to The Distributors but also to many of its local distribution operations around the country.
The file listing suggests that 4,782 directories were accessed, totalling more than 120,000 files. The data largely appears to be distribution agreements and invoices relating to The Distributors’ clients and customers, product allocations, and banking documents.
The Distributors did not respond to Cyber Daily’s request for comment.
Who is J?
J appears to have at least two identical darknet leak sites – not uncommon, since leak sites are frequently unavailable – and one communications portal where victims can enter a code to contact the hackers to begin ransom negotiations. None of J’s nine listings mentions a ransom demand or a deadline to pay, and the group’s About page simply states, “To be announced”.
Digging into the leak site’s source suggests the site is built using APIs creatively borrowed from other sources. The source code also features some copy not currently shown on the leak site:
“Here are some interesting secret files from people who didn’t want to cooperate with us.”
At the time of publishing, it is not known if the gang is still in operation, nor do we know the fate of any data that had been successfully stolen. Ransomware gangs like J tend to publish data once negotiations fail, but it’s possible that this particular group could be disclosing the data elsewhere.
No other data on the operation or where it may be operating from is currently available.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
