Illinois candy giant hit with ransomware weeks before Halloween

Ferrara Candy told ZDNet it was hit with ransomware on October 9.
Written by Jonathan Greig, Contributor

Ferrara Candy -- the candy giant behind Nerds, Laffy Taffy, Now and Laters, SweetTarts, Jaw Busters, Nips, Runts and Gobstoppers -- announced that it was hit with a ransomware attack just weeks before it prepares for one of its biggest holidays: Halloween.

The Illinois-based company told ZDNet in a statement that on October 9, they "disrupted a ransomware attack" that encrypted some of their systems. 

"Upon discovery, we immediately responded to secure all systems and commence an investigation into the nature and scope of this incident. Ferrara is cooperating with law enforcement, and our technical team is working closely with third-party specialists to restore impacted systems as expeditiously fully and as safely as possible," Ferrara said in a statement to ZDNet

"We have resumed production in select manufacturing facilities, and we are shipping from all of our distribution centers across the country, near to capacity. We are also now working to process all orders in our queue. We want to assure consumers that Ferrara's Halloween products are on shelves at retailers across the country ahead of the holiday."

Ferrara did not say if it paid a ransom or what ransomware group attacked their systems.

The Chicago Tribune and Crain's Chicago were the first to report the attack. 

Danny Lopez, CEO of cybersecurity company Glasswall, said it was likely no coincidence that attackers hit a candy company's supply chain just before Halloween -- knowing full well the urgency and demand at this time of year would have increased the likelihood that they would get the payment desired. 

Cerberus Sentinel vice president Chris Clements added that the situation was more evidence that every company needs to plan for a "worst-case scenario" like a ransomware attack. 

But even as organizations beef up their defenses, ransomware actors are changing their methods as well. 

"One such tactic is understanding when is likely to be the victim's busiest season that can least afford systems downtime and waiting until that has begun to launch their ransomware attack.  After all, a compromised business that doesn't detect the attacker on day 1 is unlikely to detect the attacker on day 90, especially if the attacker is simply waiting for the opportune time to launch their ransomware," Clements said. 

"By doing so, cybercriminals can make any service disruptions and restoration delays maximally painful to their victim to further coerce them to pay the extortion demand rather than attempt to restore systems or data themselves."

Editorial standards