KP Snacks, maker of the high-end Tyrrell’s and Popchips potato-chip brands, has suffered a ransomware attack that it said could affect deliveries to supermarkets through the end of March – at the earliest.
The British company (also the purveyor of deeply English treats such as Skips prawn cocktail snacks and Butterkist toffees) said that the Conti gang was behind the strike, which was reportedly discovered on Monday. True to form, the cyberattackers also stole data in a classic double-extortion gambit, posting “proof” of the steal on its leak site.
According to Better Retailing, which first reported the incident, the crisps connoisseur sent its merchant partners a letter on Wednesday explaining the situation, noting that it “cannot safely process orders or dispatch goods.”
“We have teams working through the resolution, but it is unknown when this will be resolved,” the letter, obtained by the outlet, read. “Expect supply issues on base stock and promotions until further notice…initial discussions have highlighted that no orders will be being placed or delivered for a couple of weeks at least and service could be affected until the end of March at the earliest.”
The provisions peddler also has issued a media statement, featuring the usual boilerplate:
“On Friday, 28 January we became aware that we were unfortunately victims of a ransomware incident. As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation. Our internal IT teams continue to work with third-party experts to assess the situation. We have been continuing to keep our colleagues, customers, and suppliers informed of any developments and apologise for any disruption this may have caused.”
Conti, a sophisticated Russian-speaking cybercrime group, is known for its advanced tactics. Palo Alto Networks has called it “one of the most ruthless” of dozens of ransomware groups currently operating. In December, for instance, it became one of the first to develop a full attack chain for the Log4Shell vulnerability (Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter).
“It’s unfortunate to see another organization become one of the 400 victims and counting to be hit by Conti,” Steve Moore, chief security strategist at Exabeam, said via email. “Unfortunately, these groups keep getting away with these intrusions because they are experts at compromising credentials. Specifically, they utilize Mimikatz, Kerberoast to attack Kerberos, and even check for saved passwords in domain group policy files. Interestingly, they will specifically search for security policy and cyber-insurance documents – showing that context matters even to the adversary!”
During that recon effort, the group also stole “credit card statements, birth certificates, spreadsheets with employee addresses and phone numbers, confidential agreements and other sensitive documents,” according to BleepingComputer’s peek at the data-leak site. And according to one source, KP Snacks has been put on a countdown clock where the data will be published if the company doesn’t pay up within four or so days at this point.
https://twitter.com/ido_cohen2/status/1488522037278789637
“Data is no longer a commodity, it’s a currency — as this incident represents,” Amit Shaked, CEO at Laminar, told Threatpost via email. “Information within an organization’s network is valuable to both businesses and attackers. With a majority of the world’s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native. As cloud architectures become more dynamic and complex, solutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where the data resides. Using the dual approach of visibility and protection, data security teams can know for certain which data stores are valuable targets and ensure proper controls are in place.”
KP Snacks isn’t alone – the Walkers company, also a booster of British “biscuits” and other nosh, was recently affected by what was termed “computer glitches” at its factories.
Cover image courtesy of KP Snacks.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.