UPDATE: Maple Leaf Foods has confirmed it was hit by ransomware, and that it won’t pay for the return of stolen data.
The Black Basta ransomware gang now lists Canadian meat processor Maple Leaf Foods as one of its victims. It isn’t clear but this could be related to the cyber incident the company acknowledged earlier this month.
At the time of the incident, a Maple Leaf Foods spokesperson said an IT outage was creating some operational and service disruptions that varied by business unit, plant, and site.
In reply to a request for comment by IT World Canada on the listing of its company by Black Basta, the company issued a statement saying, “We won’t dignify criminals by naming them.”
“Unfortunately, we know that the people behind this incident were able to gain unauthorized access to some of our data, and they are threatening to release it unless we pay a ransom, which we will not do.”
“We’re sorry this occurred and apologize for the frustration and challenges it may cause. We have invested significant resources into the security of our systems and take the confidentiality and security of the information in our possession very seriously. We are being vigilant in our response, taking purposeful action to do what we believe is right to minimize any disruption. We are also providing our Team Members with two years of credit monitoring services.
“The illegal acts that compromised our system and potentially put information at risk is intolerable and our company will not pay ransom to criminals. We are asking responsible people – including those in the media – not to entertain any ‘leads’ they get from stolen or compromised data and not to contact anyone based on illegally-obtained information.”
The statement added that working with experts it has been able to quickly and safely restore its IT systems.
According to a security industry source, the listing on the Black Basta site appeared within the last 24 hours. It posted multiple screenshots of various documents allegedly copied from the company, but made no specific claim as to the exact amount of data exfiltrated.
Black Basta has also taken credit for a recent attack on the Sobey’s supermarket chain. The two claims led David Shipley, head of New Brunswick’s Beauceron Security, to wonder if the threat group is going after the food sector. “I don’t believe in coincidences when it comes to ransomware,” he said in an email to IT World Canada. “Either this is evidence of a sector-focus, which we’ve seen before, or there was a link between the two attacks we haven’t yet seen.”
The claim by Black Basta is the latest in a string of Canadian ransomware-related news this week. The city of Westmount, QC, acknowledged being hit by ransomware, the BianLian gang appeared to take credit for an October cyber attack on upscale menswear chain Harry Rosen, and the union representing Ontario’s public high school teachers began notifying members whose data was stolen in a ransomware attack in May.
In its last quarterly financial report, Maple Leaf Foods said it had a net loss of C$54.6 million on sales of C$1.195 billion.
It has two divisions: The Meat Protein Group produces prepared meats, ready-to-cook and ready-to-serve meals, value-added fresh pork and poultry products that are sold to retail, food service and industrial channels, and agricultural operations in pork and poultry. The Plant Protein Group is comprised of refrigerated plant protein products, premium grain-based protein, and vegan cheese products, sold to retail, food service and industrial channels.
In an alert this week, researchers at Cybereason said the Black Basta ransomware gang has recently adopted the QakBot malware to create an initial point of entry and move laterally within an organization’s IT network. In the last two weeks more than 10 Cybereason customers were affected by this recent campaign. Two of those attacks allowed the threat actor to deploy ransomware and then lock the organization out of its network by disabling its DNS service, making the recovery complex.
QakBot, also known as QBot or Pinkslipbot, is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials, the alert says. Once QakBot has successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware.
In attacks dissected by Cybereason, the threat actor moved extremely fast, obtaining domain administrator privileges in less than two hours and moving to ransomware deployment in less than 12 hours. Typically, attacks began with an employee falling for a spam/phishing email containing malicious URL links. That led to the installation of QakBot. Sometimes the attacker also used the Cobalt Strike toolkit — or copies of it — to gain remote access to a domain controller.
Illegal copies of Cobalt Strike are a favourite tool of many threat actors. In an effort to blunt its effectiveness, this month Google released YARA rules for detecting unapproved use of Cobalt Strike.