Starbucks and several major U.K. supermarkets experienced disruption due to a ransomware attack on the prominent supply chain software provider Blue Yonder. The company disclosed the incident on Thursday, Nov. 21, and it was still working to restore services the following Monday.
The disruption to the Blue Yonder platform prevented Starbucks from paying its baristas and managing their schedules, according to the Wall Street Journal. As a result, cafe managers had to manually calculate their employees’ pay using their scheduled shifts, leaving a larger margin for error as actual hours worked may not line up.
Sainsbury’s and Morrisons, two of the largest supermarket chains in the U.K., were also impacted, according to trade magazine The Grocer. Sainsbury’s said it had contingencies to mitigate any disruption and restored all operations by Monday, as per TechCrunch.
SEE: Software Supply Chain Attacks Up 200%
‘Termite’ claims responsibility, although the investigation remains ongoing
Ransomware group Termite has claimed responsibility for the attack in a post on its dark web leak site, according to Cybersecurity Dive. It claims to have 680 GB of Blue Yonder data.
Termite has targeted organisations in France, Canada, Germany, Oman, and the U.S. using “infamous” Babuk ransomware, according to a security notice from Broadcom. The group exfiltrates sensitive data while encrypting files, adding a signature ‘.termite’ extension, and threatens to leak stolen information if the ransom isn’t paid.
The group targeted Blue Yonder’s managed services-hosted environment, but its Azure public cloud was unaffected. Blue Yonder brought in external cybersecurity firms to address the incident and says that “a significant majority of [its] impacted customers have had their service restored.” But, as of Dec. 12, its investigation is still ongoing.
Morrisons reverted to a backup system to manage its warehouses but said the attack impacted the flow of goods to its stores. One of its suppliers said that chilled orders were cancelled on Friday due to the incident, and the supermarket anticipated that the availability of some convenience and wholesale products could drop to as low as 60%.
On Dec. 11, Starbucks confirmed to Cybersecurity Dive that its Blue Yonder-based employee scheduling platform was back in service.
SEE: Paying ransom should be your last resort, cybersecurity expert says
Supply-chain, ransomware attacks are on the rise
In recent years, supply-chain attacks have become a growing concern in the cybersecurity landscape. The attacks on SolarWinds, Log4j, and Codecov are notable ones. Supply-chain attacks are especially attractive to cybercriminals because they offer multiple rewards for a single breach.
Thirty-one percent of organisations experienced a software-as-a-service data breach in the last 12 months, a 5% increase over the previous year, according to AppOmni.
SEE: Number of Active Ransomware Groups Highest on Record
This surge may be linked to inadequate visibility of the increasing number of deployed apps. According to Onymos, the average enterprise now relies on over 130 SaaS applications compared with just 80 in 2020.
Last year, British Airways, the BBC, and Boots were all served an ultimatum after they were hit with a supply-chain attack by the ransomware group Clop. Clop exploited an SQL injection vulnerability in the popular business software MOVEit and accessed its servers to steal business data.
Ransomware attacks are also on the rise. Microsoft reported a 2.75-fold increase in ransomware attempts this year, while the second quarter of this year saw the highest number of active ransomware groups on record. Indeed, artificial intelligence could be lowering the barrier to entry to stage these attacks, widening the pool of individuals who might do so.
Global ransomware payments exceeded $1 billion for the first time in 2023. “Big game hunting,” where groups go after large organisations and demand ransoms of over $1 million, is increasing in prevalence, and affected organisations are often tempted to pay.
