KP Snacks, purveyor of iconic British snacks such as Skips and Butterkist, has been hit with a ransomware attack threatening to impact deliveries at least until the end of March.
The company announced that Conti, an incredibly effective Russian-speaking group, is behind the attack. As is typical for the gang, they stole data in a double-extortion operation, posting “proof” of the steal on their leak site.
Jamie Akhtar, CEO and founder of Cybersmart said, “as well as being a dark day for snack lovers everywhere, this incident demonstrates just how devastating a successful ransomware attack can be. Not only is KP set to lose revenue from the downtime caused by the breach, but the effects will also be felt throughout its supply chain.”
“Cybercriminals know that businesses like KP, with large, complex supply chains, make fantastic targets for ransomware attacks due to both their vulnerability and the potential damage that can be caused. It’s why we’re seeing more attacks on the food and drink industry in recent months,” Akhtar continued.
Better Retailing first reported the incident, saying that the snack giant sent merchant partners a letter on Wednesday detailing the situation and highlighting their inability to safely process orders or dispatch product.
Javvad Malik, lead security awareness advocate at KnowBe4, also noted the potential reverberations of the attack.
“Another day, another example of how a ransomware attack can have far-reaching implications. Nearly every industry and size of organisation is highly dependent upon IT systems, so even if a part of the technology becomes unavailable, it could impact the whole business.
In recent months, we’ve seen attacks on oil supply and payroll in addition to this recent attack against food and snacks. All of these are essential goods and services for individuals and organisations, so having robust security controls is essential.
The majority of ransomware attacks are successful because of unpatched software, weak credentials, or through social engineering such as spearphishing. So having in place processes to manage patching, technology to strengthen credentials, and providing timely and appropriate security awareness and training to all staff can go a long way in preventing such attacks from being successful,” he said.
Alistair Thomson, Risk and Intelligence Lead at Adarma, shared his top tips on how to find early-stage intrusion activity, based on recent activity seen from Conti:
“1. Detect the presence of NetScan.exe (ATT&CK Techniques T1082, T1083)
2. Detect the presence of Cobalt Strike, especially default configurations (Multiple ATT&CK Techniques)
3. Detect creation of .dmp files which indicate LSASS dumping activity (ATT&CK Technique T1003)
4. Detect anomalous Active Directory administrator accounts (ATT&CK T1098, T1136)
5. Detect suspicious programs executed through scheduled tasks (ATT&CK technique T1053).”