[BreachExchange] Recipe Unlimited denies ransomware attack, despite alleged ransom note

Destry Winant destry at riskbasedsecurity.com
Wed Oct 3 20:42:06 EDT 2018


Recipe Unlimited, which operates 19 franchise restaurant brands, must
think that claiming to be a victim of a “malware outbreak” sounds
better than saying it was a victim of a ransomware attack.
Nevertheless, nine of its restaurant brands were impacted by the
attack, and some have even closed as the bitcoin ransom demand total
grows higher each day.

Corporate said that after the attack (“malware outbreak”), which
happened on Friday, Sept. 28, it tried to stop the spread of the
ransomware by taking several of its systems offline and suspending
internet access to affected locations.

That, in turn, resulted in some restaurants completely closing up shop
because – in the words of a note taped to East Side Mario’s – “the
head office computer was hacked.” The full note posted on Sept. 30
stated, “Due to a computer issue with Head Office we are closed for
the day.” Smaller handwritten info included: “That is 1,400 of our
restaurants closed for the day. The head office computer was hacked.”

In total, nine Recipe Unlimited restaurant brands were impacted by the
attack: Swiss Chalet, Harvey's, Milestones, Kelseys, Montana's, Bier
Markt, East Side Mario's, The Landing Group of Restaurants, and Prime
Pubs brands.

If you are unfamiliar with those restaurants, it might be because
1,318 of all 1,379 Recipe Unlimited restaurants are located in Canada.
At any rate, the impacted restaurants that did not temporarily close
were not able to accept credit or debit transactions.

Ransom increases daily

Despite the company avoiding the words “ransomware attack,” CBC
reportedseeing the ransom note, which “informs Recipe Unlimited that
‘there is a significant hole in the security of your company’ and that
‘we’ve easily penetrated your network.’”

Instead of being a fixed price, the ransom demand increases every day.
The note states, “The final price depends on how fast you write to us.
Every day of delay will cost you additional +0.5 BTC.”

As of the time of writing, .5 bitcoin was equal to $3,224.58. If the
countdown started on Friday and today is Wednesday, that total ransom
demand for six days has jumped up to $19,347.

If Recipe Unlimited opts to pay the ransom, the attackers’ note
promised to give the “decrypted data back,” as well as instructions
for “how to close the hole in security” and “avoid such problems in
the future.”

Recipe Unlimited, however, denied to CBC that it was being held
ransom. In a press release, the company claims, “We maintain
appropriate system and data security measures and as per standard
operating procedures, conduct regular system back-ups to enable us to
restore impacted systems.” It is working “with third-party security
experts and internal teams to resolve the situation as quickly and
effectively as possible.”

As for the ransom demand, Recipe Unlimited claims it was “a ‘generic’
statement associated with a virus called Ryuk and that exact copies of
the ransom note can be found via a Google search.”

While detailing a targeted Ryuk ransomware campaign, Check Point
Research posted two version of the Ryak ransom note. As of August,
Check Point believes the attackers had racked up $640,000 from
ransoms. The security firm believes the Ryak and Hermes ransomware
were related and wondered about the connection to North Korean Lazarus
Group attackers.

As for concerned employees with no clue what is happening or if their
data is in the hands of hackers, Recipe Unlimited claimed, “We have no
indication that this limited malware incident has resulted in any data

Key takeaways might include the obvious: Make sure you have recent
offsite backups, as well as man up if you are hit with a ransomware
attack instead of trying to claim it is a “malware outbreak,” which
led to the temporary closing of some businesses. The truth will come
out sooner or later, so lying won’t help in the long run.

More information about the BreachExchange mailing list