Ransomware Attack at UK Snack Provider

By Gregory Hale
A British snack food provider, Kenyon Produce (KP) Snacks, suffered an attack by the Conti ransomware group, which had an effect on distribution to supermarkets, and could now be in negotiations for the decryption key.

The German-owned company said it became aware of the attack on January 28, and it immediately took steps to contain the attack. A letter from KP Snacks sent to store owners February 2 said it its systems had been “compromised by ransomware” and it “cannot safely process orders or dispatch goods.”

“A post was identified on Conti’s data leak site (DLS) on 1 February 2022 confirming the group’s involvement in the attack against KP Snacks,” said Silas Cutler, principal reverse engineer at Stairwell. “This post has since been removed, potentially indicating negotiations are underway for decryption of ransomed systems. When the post was made, Conti had set a timer stating data would be published in 5 days (6 February).

RELATED STORIES

• Cyber Attack Shuts Down German Oil Firm
• Pharma Service Provider Hit in Cyber Attack
• Chemical Maker Hit in Cyber Attack
• Photography Giant Hit in Ransomware Attack

“Groups like Conti are known to use a two-pronged approach when conducting attacks. The first being the ransoming of an organization’s data, followed by the private sale or public disclosure of sensitive internal data. By their nature, ransomware attacks cause severe disruptions to an organization’s infrastructure and recovery can require weeks for even a well-established IT team to fully recover – even after paying ransom demands and receiving tools to decrypt systems.

KP Snacks includes brands such as PopChips, Skips, Hula Hoops, Penn State pretzels, McCoy’s, and Wheat Crunchies. The company has over 2,000 employees and has annual revenues at $600 million.

Deliveries Delayed
Because of the attack, deliveries from the company to superstores are being delayed or canceled altogether. According to discussions between KP Snacks and its partner supermarkets, the supply shortage issues may last until the end of March.

The company’s internal network had been breached with threat actors gaining access to and encrypting sensitive files, including employee records and financial documents, according to a report in BleepingComputer.

“Conti is well known for their broad targeting of companies with revenues over $100 million,” Cutler said. “Access to these companies are often sold to Ransomware-as-a-Service (RaaS) providers (like Conti), who handle victim negotiation and in turn share a percentage of the profits with all parties involved. A key challenge with tracking and eventually attributing ransomware attacks is access brokers will often work with multiple RaaS groups in order to maximize their own profits.

“As attacks from ransomware groups become ever more frequent, having regular backups and practiced disaster recovery procedures are critical for organizations to respond effectively against these types of threats,” Cutler said.

On the private leak page, Conti shared samples of credit card statements, birth certificates, spreadsheets with employee addresses and phone numbers, confidential agreements, and other sensitive documents.

KP Snacks’ internal IT teams are working with third party security experts to assess the situation.

Lying in Wait
“The KP Snacks ransomware attack is yet another reminder of the need for strong security protocols as organizations’ IT and OT networks continue to converge,” said Marty Edwards, vice president of OT Security at Tenable. “Most ransomware attacks exploit a lack of cyber hygiene, and threat actors are waiting to take advantage. Organizations must protect themselves by doing the basics well — beginning with having complete visibility into all assets, including Cloud, IT and OT.

“Attackers leverage a variety of mechanisms including Active Directory misconfigurations or trust relationships as well as exploiting well known vulnerabilities that should have been remediated. It is only a matter of time before these typically IT oriented attacks begin to more dramatically impact OT systems directly and more organizations fall victim.

“What organizations should learn from this incident is that basic security principles can go a long way,” Edwards said. “Without implementing these, any business can and should expect disrupted core functions like manufacturing, shipping and more.”

In a survey of IT execs and security leaders, 60 percent of respondents believe the threat of ransomware is on the same level as terrorism, according to Venafi’s Global Security Report.

Other findings include:

• 22 percent of respondents believe it is morally wrong to pay a ransom even if it seriously compromised critical systems of data.
• 77 percent are confident their current security tools will protect their organization from future attacks despite the fact that over two thirds have experienced a ransomware attack in the last year.
• 77 percent said they will increase spending on ransomware security controls over the next 12 months.

In addition, a global survey by security provider Claroty of 1,100 information technology (IT) and operational technology (OT) security 80 percent of respondents experienced a ransomware attack, with 47 reporting an impact to their OT/industrial control system (ICS) environment. In addition, over 60 percent paid the ransom and 52 percent paid $500,000 USD or more.

Conti is a Ransomware-as-a-Service (RaaS) operation linked to the Wizard Spider Russian cybercrime group, also known for other malware, including Ryuk, TrickBot, and BazarLoader.

The ransomware group’s affiliates breach targets’ networks after corporate devices get infected with BazarLoader or TrickBot malware, providing them remote access to the compromised system.