A Conti ransomware attack on KP Snacks disrupted its IT systems, causing anticipated supply chain problems. Better Retailing disclosed the contents of wholesaler Nisa’s messages to its partners on February 1, warning its partners to “expect supply issues on base stock and promotions until further notice.”
Similarly, KP Snacks sent a letter to partner shops on February 2, notifying them that its IT systems were compromised and its ordering processes would be affected.
Owned by the German Intersnack Group GmbH & Co. KG, KP Snacks makes popular English treats like Butterkist, Hula Hoops, KP Nuts, Space Raiders, McCoy’s, and Tyrrells crisps, Nik Naks, and Skips. With over 2,000 employees, the company earns over $630 million per year.
KP Snacks supply chain problems to last until end March
KP Snacks said it could not “safely process orders or dispatch goods” after a ransomware attack disrupted its IT systems. Thus, no orders would be placed or delivered until at least the end of March. Additionally, KP Snacks would cap orders to reflect the remaining stock.
Despite the anticipated supply chain problems, the company promised to “keep our products stocked and on shelves” and was keeping its colleagues, customers, and suppliers informed of any future developments.
Jack Chapman, VP of Threat Intelligence at Egress, says the incident highlights the extent of supply chain upheavals that ransomware attacks could cause.
“Once attackers are inside your systems, they hold all the power – and for businesses like KP Snacks, this can create significant disruption and even cause day-to-day operations to grind to a halt. Depending on the scale of the attack, this can have a serious knock-on effect on an organization’s bottom line.”
The KP Snacks ransomware attack is the second largest supply chain disruption after a system upgrade at Walkers caused supply chain problems in November 2021.
Conti cybercrime gang responsible for KP Snacks ransomware attack
KP Snacks said it discovered the ransomware attack on January 28. Immediately, it kicked into cyber response mode and started to work with third-party experts to assess the situation.
“As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation.”
The company did not disclose the group behind the ransomware attack but the Conti cybercrime gang added KP Snacks’ logo and company information on its data leak site.
The BBC also reported that hackers had posted staff documents bearing the company’s letterhead on an underground hacking forum, alongside a countdown for release if a ransom is not paid. Sample data published on a dark web forum included credit card statements, birth certificates, employment contracts, phone numbers, and home addresses.
Similarly, the Technology website Bleeping Computer quoted a source saying that the hackers accessed the company’s financials during the ransomware attack. Many companies prefer to keep this information confidential. Accessing this information during an attack gives the hackers more leverage.
However, neither the ransomware gang nor KP Snacks have disclosed if negotiations were taking place or the amount of ransom demanded.
“A post was identified on Conti’s data leak site (DLS) on 1 February 2022 confirming the group’s involvement in the attack against KP Snacks,” Silas Cutler, Principal Reverse Engineer at Stairwell. “This post has since been removed, potentially indicating negotiations are underway for decryption of ransomed systems. When the post was made, Conti had set a timer stating data would be published in 5 days (6 February).”
Conti operates on the double extortion policy by selling or freely publishing stolen data after encrypting its victims’ systems to cause reputational damage.
“Groups like Conti are known to use a two-prong approach when conducting attacks,” Cutler continued. “The first being the ransoming of an organization’s data, followed by the private sale or public disclosure of sensitive internal data.
“By their nature, ransomware attacks cause severe disruptions to an organization’s infrastructure and recovery can require weeks for even a well-established IT team to fully recover – even after paying ransom demands and receiving tools to decrypt systems.”
The Ransomware-as-a-Service (RaaS) gang operating in St. Petersburg, Russia, is linked to the Russian cybercrime syndicate the Wizard Spider.
The group has carved a name for itself after targeting large organizations, including the NHS, Bank of Indonesia, Nordic Choice group of hotels, Ireland’s Department of Health (DoH), and RR Donnelly (RRD) marketing firm.
On September 22, 2021, the FBI, CISA, and NSA issued a joint cybersecurity alert on increased Conti ransomware attacks. The agencies warned that Conti ransomware operators gain access through spear-phishing, stolen RDP credentials, exploiting common vulnerabilities, using phone calls, and various malware like ZLoader. Similarly, Conti deploys Ryuk, TrickBot, and BazarLoader at various stages of the attacks.
Steve Moore, chief security strategist, Exabeam, says at least 400 organizations have been victimized by the Conti ransomware gang. At least 290 confirmed attacks occurred in the United States. Moore noted that ransomware groups utilize Mimikatz, Kerberoast to attack Kerberos, and check domain group policy files for saved passwords.
Chris Boyd, a Lead Analyst at Malwarebytes, said the incident had severe ramifications for the food producer beyond the supply chain disruption.
“Delays until March for food shipments are bad enough, but encrypting corporate files and threatening to leak sensitive data will have many employees worried. While we don’t know if KP intends to pay the ransom, there’s no guarantee those holding the key won’t simply leak the files later. Whether they pay or refuse to comply with the ransom demands, there may be no good ending to this story.”