Ransomware Attack On KP Snacks Prompts Shortage Warning

KP Snacks has suffered a ransomware cyberattack that had led the German-owned British business to issue a supply warning to British shops.

The Guardian reported that the firm sent a letter to British stores saying the ransomware attack, has crippled its IT and communications systems. It warned this could lead to supply issues until “the end of March at the earliest” as it “cannot safely process orders or dispatch goods”.

KP Snacks is responsible for a number of branded snacks in the UK, including KP nuts, Hula Hoops, McCoy’s and Tyrrells crisps, among others.

Shortage warning

The Guardian said the warning message, sent out through the groceries wholesaler Nisa, said KP Snacks was going to limit the size of orders to retailers so it could “manage what stock we do have”, according to the website Better Retailing, which first published news of the attack.

“On Friday 28 January we became aware that we were unfortunately victims of a ransomware incident,” KP Snacks was quoted as saying in a statement. “As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation.”

“Our internal IT teams continue to work with third-party experts to assess the situation,” it added. “We have been continuing to keep our colleagues, customers, and suppliers informed of any developments and apologise for any disruption this may have caused.”

The hackers are reportedly threatening to release information stolen from the company’s IT systems in order to try to force it into making a payment to decrypt its files to continue operations.

Critical industry

Attacks on foods suppliers can be considered a critical industry attack, and therefore a national security issue.

It comes after the UK’s National Cyber Security Centre (NCSC) last week issued a blunt warning to British organisations to take action to bolster their cyber security resilience in response to the malicious cyber incidents in and around Ukraine.

In December more than 600 Spar convenience stores were impacted by a ransomware attack on a third party supplier called James Hall & Company, which operates its tills and IT systems.

Prior to that in October, crisp giant Walkers was hit by IT issues that resulted in gaps on shelves that lasted through to the end of December.

That same month, Tesco managed to quickly restore its website and app, after the supermarket giant confirmed “attempts to interfere with our systems.”

And in July a devastating supply chain attack targetted software from Miami-based Kaseya, which impacted most of the Co-op’s 800 stores in Sweden, which were unable to open because cash registers weren’t working.

In June there was a ransomware attack on Brazil-based meat supplier JBS SA, which was so serious it wiped out one-fifth of US beef capacity, with slaughterhouses being closed down in both Australia and the US.

Industry response

The attack on KP Snacks has therefore generate a large response from the security industry.

Proofpoint’s cybersecurity strategist Adenike Cosgrove has warned that unless food manufacturers get their act together and focus on preventing these attacks, they will continue to be victimised as cybercriminals are focusing their efforts on the weak defences in these companies.

“Cybercriminals recognise that companies in the manufacturing and food supply chain sectors have been woefully underprepared to prevent these incidents, investing too little in their defences and overly reliant on legacy technology,” noted Cosgrove.

“So it is absolutely no surprise that we see companies like JBS last year and now KP increasingly targeted and often becoming the most heavily disrupted and damaged by ransomware,” said Cosgrove.

“Attempting to recover from these kinds of incidents is a nightmarish proposition and no organisation comes out unscathed,” said Cosgrove. “There is no telling how long the attackers were inside the compromised systems, and no indication as to the true extent of the data loss, damage, and financial impact to KP and any of its partners and suppliers. To add to this, insurance companies are now refusing to pay out for ransom payments and incidents such as this.”

“This is the wakeup call for manufacturers in the food supply chain or any organisation with legacy IT systems to focus on investing in prevention of ransomware at all costs,” said Cosgrove. “Cybercriminals will target organisations and sectors where they see a simple route in, combined with the maximum potential for disruption and in turn, leverage for financial gain. We need to change the conversation on ransomware from recovery to prevention. You don’t want to play the game with cybercriminals when they’ve already made their way in.”

Supply shortages

Another expert said that an attack that triggers a supply shortage is an attractive option for attackers, as it increases the pressure on victims to pay the ransom.

“Consumers and the wider retail sector are increasingly feelings the effects of ransomware, which is the top use case of Darktrace’s Autonomous Response technology,” noted Toby Lewis, head of threat analysis at Darktrace.

“Supply shortages, especially of highly recognisable brands, are appealing to ransomware attackers because the public attention magnifies the pressure on victims to pay,” said Lewis. “Double extortion, whereby attackers exfiltrate the data and threaten to sell it as seen here, is also a popular tactic with adversaries.”

“More unusual is KP Snacks’ statement, which anticipates supply issues will continue into March as a result of the attack,” said Lewis. “Organisations typically predict a much quicker turn around (although few deliver on this). KP Snacks’ approach may be an indicator of a more mature incident management programme.”

“It remains to be seen whether KP Snacks lost all IT functionality due to the attack or whether they had to shut down in order to prevent further damage,” said Lewis. “The latter is often the case, and is no less disruptive. But once attackers have gained access to a digital estate, data exfiltration is only one of the actions they may have taken. Suppliers, logistics companies and customers of KP Snacks must now examine their security posture in case the attackers look to exploit a vulnerability to impact the full supply chain.”

Recovery time

Another expert picked up on the recovery time KP Snacks said it needs.

“This incident seems rather normal for a ransomware attack hitting a food manufacturing/ distribution company,” John Rodgers, principal incident response consultant at F-Secure.

“While it’s hard to say how long it would really take them to get back up and running, it is good to see that KP is under no illusion that it may take them at least 2 months to get back and running,” said Rodgers.

Everyone is vulnerable

Another expert said the attack on KP Snacks is a reminder that no industry is immune to being targeted by cybercriminals.

“For the next few hours, damage control will be in full force – and how the business reacts will be critical to ensuring the welfare of the company, mitigating the damage of the attack, limiting downtime of operations, and therefore minimising the predicted supply chain delays and cancellations,” noted Chris Vaughan, area VP of technical account management at Tanium.

“Getting back to the basics of IT operations and security is the first step in helping any organisation avoid the worst-case scenario,” said Vaughan. “Having the right security defences in place to protect your IT infrastructure – including having back up mechanisms which are regularly tested – can significantly mitigate the damage of a ransomware attack.”

Read also : New Zealand Joins US, UK, Netherlands Alleging Chinese Cyber Espionage

“It’s critical that organisations have a high level of visibility of the devices connecting to the corporate network,” said Vaughan. “This will help them identify any weaknesses that could increase the likelihood of a ransomware attack being successful, such as unpatched devices or users adopting risky behaviours.”

“Endpoint security and visibility can also help to limit lateral movement in an environment – helping to limit the spread and damage of an attack once it has breached the corporate network,” said Vaughan.

“Another way to minimise the impact of ransomware attacks is to ensure staff are trained to look out for potentially malicious links in emails,” said Vaughan. “It’s not correct to think that everyone already understands and follows this advice as many successful ransomware attacks begin in this way. My message is that you can’t always stop a sophisticated cyber attack, but by having a good standard of IT hygiene and training in place you can certainly make it more difficult for the attackers to be successful.”

Disruption impact

Another expert pointed out the disruption that attacks like this can have, and these impacts must be considered when firms are seeking to invest in robust cybersecurity protections.

“This incident highlights the devastating and long-lasting effects a cybersecurity attack can have on a business, as KP Snacks looks likely to face difficulty safely processing orders or dispatching goods for the foreseeable,” noted Steven Wood, director, at Carbonite + Webroot.

“This should come as a stark warning on how vital it is for companies to invest in robust cybersecurity protection, to avoid these attacks happening in the future,” said Wood. “Retail industries are often the most vulnerable to ransomware and distributed denial of service (DDoS) attacks. Even just a few hours of disruption to systems can cause inconvenience to customers and lead to millions of pounds of losses.”

“To mitigate future attacks, organisations must step up and implement robust security systems, processes and staff training to ensure cyber resilience,” said Wood. “One layer of defence is not enough to sufficiently reduce your organisation’s exposure to risk. It is crucial to build multiple layers of protection, detection and response into your infrastructure. Having these tight processes in place will help protect the business, services, and systems and help to uncover weaknesses before criminals exploit them.”

No good options

Another security expert pointed out that there no good options for KP Snacks at the moment, and even if they pay for a decrypt tool, it may not stop data being leaked at a later date.

“Conti ransomware has become associated with significant real-world impact via their attacks,” noted Chris Boyd, lead analyst at Malwarebytes.. “The ransomware outbreak on the Irish Health Service Executive caused a serious impact on operations, and here we have potentially severe ramifications for a well-known producer of food products.”

“Delays until March for food shipments are bad enough but encrypting corporate files and threatening to leak sensitive data will have many employees worried,” Boyd said.

“While we don’t know if KP intends to pay the ransom, there’s no guarantee those holding the key won’t simply leak the files later,” said Boyd. “Whether they pay or refuse to comply with the ransom demands, there may be no good ending to this story.”

Food security

The last security expert said this attack demonstrates the need for food manufacturers to take a proactive cybersecurity posture and gain visibility into their supply chain.

“The fact is, we are seeing a significant increase in food manufacturers like KP Snacks becoming preferred targets for ransomware groups,” noted Todd Carroll, CISO CybelAngel.

“Given the nature of consumables and the importance of food safety, this is alarming for all of us,” said Carroll.

“Without a proactive cybersecurity posture and visibility into their supply chain, they risk their brand’s reputation, compromised products, and extensive downtime costing tens or even hundreds of millions of pounds,” Carroll concluded.