Conti Gang Suspected of Ransomware Attack on McMenamins

The incident occurred last weekend at the popular chain of restaurants, hotels and breweries, which is still facing disruptions.

A family-run chain of hotels and restaurants this week has been grappling with the aftermath of a ransomware attack that occurred last weekend that may have exposed employees’ sensitive personal data, according to multiple reports.

The incident – which some have attributed to the Conti gang – forced McMenamins to shut down various operations, though locations could still receive customers. McMenamins is a popular chain of restaurants, pubs, breweries and hotels located in the Pacific Northwest: specifically, Washington and Oregon.

The company had to shut down its IT systems, credit card point-of-sale systems and corporate email to prevent the further spread of the attack, according to reports.

Infosec Insiders Newsletter

The company confirmed that the attack occurred on Dec. 12 “when cybercriminals deployed malicious software that locked the company’s systems and prevented access to critical information,” it said in a press statement to various news outlets on Wednesday.

A message on the chain’s website on Friday informed visitors of an outage that would affect anyone trying to contact the company through email.

“We are currently experiencing technical issues with our email system,” according to the message. “There may be delays in response time as staff is unable to send and receive messages at this time. Thank you for your patience!”

Employee Data Exposed

While McMenamins officials do not believe there was an impact on customer payment data, the names, Social Security numbers, bank information and other data of its 2,700 employees may have been exposed. The company is providing identity and credit protection services to its workers in response, according to the statement.

Co-founder Brian McMenamin said the breach “is especially disheartening” given its timing after the “strain and hardship” McMenamins’ employees have gone through over the past two years during the pandemic, according to a press statement.

“We ask that our customers give our employees extra grace as we make temporary adjustments in the way we process transactions and reservations, given the impacts to our systems by this breach,” he said, according to reports.

McMenamins has reported the incident to the FBI and is also working with a cybersecurity firm to identify the source and full scope of the attack, the company said.

Work of Conti Group?

Though McMenamins has not identified the ransomware group responsible for the attack, a report from Bleepingcomputer said sources have attributed it to the Russia-based Conti group, which Palo Alto Networks has called “one of the most ruthless” of dozens of ransomware groups currently known to be active

Indeed, Conti has made headlines in the last year attacking organizations where IT outages may not just disrupt a company’s customer-facing services or networks, but also threaten lives: health services, emergency number dispatch carriers, emergency medical services and law-enforcement agencies.

The Conti gang also has been known to ask unreasonable ransom amounts for keys to encrypted data from organizations that clearly wouldn’t have the money to pay. Earlier this year, the group demanded a $40 million ransom from a Fort Lauderdale, Fla., public school district, Broward County Public Schools.

Conti group recently added even more firepower to its ransomware capabilities, honing its ability to destroy backups its victims may have to recover from attacks. A solid backup for data locked down by ransomware criminals is one way companies can avoid paying a ransom.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

 

Suggested articles