Ransomware attacks targeted towards supply chains in the U.S. have spiraled indiscriminately in the recent past. The incidents are growing by the day, and now joining this long list is the popular foodservice supplier, Edward Don. The company did not publicly disclose anything about the security incident, but its employees have reportedly claimed that a ransomware attack has locked them out of their systems and forced them to decline orders until the systems are up again.
Edward Don and Company is a known distributor of foodservice equipment and supplies in the U.S. Its portfolio includes products from kitchen supplies to flatware and bar supplies to dinnerware. Moreover, its clientele includes top U.S. hospitals, restaurants, hotels, and bars. Thus, a cyberattack on its systems meant significant disruption of the entire supply chain and its operations.
The ransomware attack that took place early last week has affected Edward Don’s networks, phone systems, and even the email services. According to the reports, the email service outage not only forced its employees to decline new orders but also compelled the firm to manage all communications for already placed and urgent orders to be carried out via private Gmail accounts.
Qbot Behind the Attack?
As there is no official statement issued by the company until now, the accurate details of the operators or the way in which the compromise took place is not yet clear. However, reports suggest that Qbot malware operators could be behind the attack.
Qbot malware is a banking trojan that has been active for over a decade and is known to regularly upgrade its malicious capabilities. Its operators steal users’ keystrokes, deploy backdoors, and spread malware payloads on compromised devices. Their primary targets have always been financial institutions across the U.S., however, of late, they seem to have begun working closely with ransomware gangs and their affiliates for increased monetary gains. In this new association, their job is to provide access to ransomware gangs to the compromised networks through which they can spread laterally and inflict severe damage. The combination of the attacks seems to be the exact strategy used in the ransomware campaign against Edward Don.
What the Expert Says
Troy Gill, Threat Hunter and Manager of the Zix I App River Research Team told CISO MAG:
“The new attack on Edward Don continues to underline the significant disruption ransomware has had to critical infrastructure and the supply chain of organization in the U.S. This continues to add to the trend of “ransomware as a service”.
Although it is not clear yet what ransomware operation has conducted the attack, it is said to have been infected by the Qbot malware based on their adversarial visibility. Qbot is known to partner with ransomware operations to supply them remote access to infected networks and we have seen a ramp-up in Qbot activity following the takedown of Emotet early this year. Ransomware operators that are reliant on buying access to compromised systems will surely turn to alternatives such as Qbot. Organizations need to identify and block these attacks daily which are mostly leveraging malicious macro-enabled XLS files.
Remote work has continued to add to the rise of attacks and thus email still remains the top attack vector for advanced threats. Organizations must mandatorily enforce two-factor authentication (2FA) or a multi-layered protection approach (MFA) that better safeguards the entire network – including the company, employees, and end customers. Additionally, organizations should regularly run security audits to identify suspicious user behavior.”