The Conti gang strikes again, disrupting the grocery store supply chain and threatening supermarket shelves that could stay empty for weeks. KP Snacks, maker of the high-end Tyrrell’s and Popchips potato-chip brands, has suffered a ransomware attack that it said could affect deliveries to supermarkets through the end of March 2022 at the earliest. For our US readers, Brits call potato chips, crisps. You say potato; I say potaaato.
The British company said that the Conti gang was behind the strike, which was reportedly discovered on 31 January 2022. The cyber attackers also stole data in a classic double-extortion gambit, posting “proof” of the steal on its leak site. According to Better Retailing, which first reported the incident, the crisps maker sent its merchant partners a letter on 02 February 2022 explaining the situation, noting that it “cannot safely process orders or dispatch goods.”
“We have teams working through the resolution, but it is unknown when this will be resolved,” the letter, obtained by the outlet, read. “Expect supply issues on base stock and promotions until further notice…initial discussions have highlighted that no orders will be being placed or delivered for a couple of weeks at least and service could be affected until the end of March at the earliest.”
The company has issued a media statement, stating the established and over used text: “On Friday, 28 January we became aware that we were unfortunately victims of a ransomware incident. As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation. Our internal IT teams continue to work with third-party experts to assess the situation. We have been continuing to keep our colleagues, customers, and suppliers informed of any developments and apologise for any disruption this may have caused.”
Conti, a sophisticated Russian-speaking cybercrime group, is known for its advanced tactics. Palo Alto Networks has called it “one of the most ruthless” of dozens of ransomware groups currently operating. In December, for instance, it became one of the first to develop a full attack chain for the Log4Shell vulnerability (Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter).
Only four days ago, our analysts researchered the resurgence of the Conti group: https://redskyalliance.org/xindustry/resurgence-of-conti-ransomware
“It’s unfortunate to see another organization become one of the 400 victims and counting to be hit by Conti,” the chief security strategist at Exabeam, noted via email. “Unfortunately, these groups keep getting away with these intrusions because they are experts at compromising credentials. Specifically, they utilize Mimikatz, Kerberoast to attack Kerberos, and even check for saved passwords in domain group policy files. Interestingly, they will specifically search for security policy and cyber insurance documents showing that context matters even to the adversary!”
During that recon attack, the group also stole “credit card statements, birth certificates, spreadsheets with employee addresses and phone numbers, confidential agreements and other sensitive documents,” according to investigators. According to one source, KP Snacks has been put on a countdown clock where the data will be published if the company does not pay up within four or so days at this point.
“Data is no longer a commodity, it’s a currency as this incident represents,” said the CEO at Laminar Reporters. “Information within an organization’s network is valuable to both businesses and attackers. With a majority of the world’s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native. As cloud architectures become more dynamic and complex, solutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where the data resides. Using the dual approach of visibility and protection, data security teams can know for certain which data stores are valuable targets and ensure proper controls are in place.”
KP Snacks is not alone in this breach, the Walkers company, also a booster of British “biscuits” and other treats, was recently affected by what was termed “computer glitches” at its factories. It is up to all organizations to take steps and adopt procedures to protect themselves from ransomware attacks. No government can stop these attacks except for the counties that are sponsoring and/or benefitting from the ransom payments.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten 109) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings