I never imagined that a 150-year-old chocolate company could be brought to its knees by a few clicks on a computer. As the head of IT for Ganong Bros. — Canada’s longest-running family-owned candy manufacturer, established in 1873 — I’ve overseen everything from upgrading our aging inventory systems to keeping the Wi-Fi humming on our factory floor. But nothing prepared me for the morning of February 22, 2025, when a ransomware attack suddenly locked our systems. In that frantic moment, amid the aroma of cocoa and boiling sugar, I realized our sweet operation had turned into a cybersecurity nightmare.
Discovery in the heart of production
It was a bitterly cold Saturday in New Brunswick, and our St. Stephen plant was operating on limited shifts, preparing spring orders. I was at home when I got an early phone call from a production supervisor: “Something’s wrong — the computers in packaging froze and there’s a strange message on-screen.” My stomach dropped. Remotely logging in was impossible; our network was unresponsive. I rushed into the facility to find critical servers encrypted and a ransom note blinking on our monitors.
We later determined the attack had begun earlier, stealthily spreading through our network. By the time we “discovered” it on February 22, malicious code had already crippled several systems. Operations ground to a halt — our automated mixing and wrapping machines were fine mechanically, but without the digital controls and production schedules, we couldn’t safely continue production. Access to our order database and email was cut off. In an instant, our historic chocolate factory was knocked back into the 19th century.
Standing in the server room, I felt a wave of panic wash over me. Generations of the Ganong family legacy were now on my shoulders, and I feared a faceless criminal group could destroy it in one weekend. I gathered my small IT team, and we immediately enacted our incident response procedures (to the extent we had them documented). Our first step was to disconnect the plant’s networks from the outside world to contain any further spread. We also shut down non-essential systems to prevent further encryption from occurring. It was clear this was a full-blown ransomware incident. It was time to seek professional help.
Racing to contain the breach
By midday, we had contacted a third-party cybersecurity incident response firm and our legal counsel. Within hours, external incident responders were on-site at our candy factory, reviewing logs and isolated disk images. Alarms were still blaring from production lines that had been abruptly halted, creating an eerie backdrop to the forensic work.
Our team worked side by side with the experts throughout that weekend, trying to trace the intruder’s footsteps. The initial findings were sobering: the attackers had likely been lurking in our network for days, if not weeks. There were no smashed windows or broken locks in cyberspace, but signs pointed to a phishing email or stolen password as the culprit. We would later learn that 76% of cyberattacks on food manufacturers begin with phishing emails, and I wouldn’t be surprised if we became part of that statistic.
Our containment efforts focused on two urgent fronts: preventing further damage and assessing the extent of the compromise. We reset every employee’s password and applied emergency patches on unaffected systems. We also set up a basic isolated network, allowing plant managers to communicate and begin planning manual workarounds. The forensic team began analyzing the ransomware strain and its signatures. This looked like the work of the “PLAY” ransomware collective, a crew infamous for double-extortion tactics and believed to operate out of Russia.
That revelation sent a chill down my spine. We weren’t dealing with random pranksters – this was a professional extortion crew. A week or two later, the PLAY gang publicly claimed responsibility. At the time, though, we kept that knowledge within the incident team. Our priority was to restore operations and assess our exposure.
Production at a standstill
Walking into the main factory floor that Saturday afternoon was one of the most challenging moments. Typically, you’d see a blur of activity — wrappers spitting out peppermint chocolates, pallets of candies being readied for shipment. Now the lines were silent. Workers stood by idly. I had to announce that a cyber “incident” had occurred and that we needed to pause most work until systems could be brought back safely.
We soon resorted to old-school, manual processes. By Monday, with many office systems still down, plant managers were using paper forms and personal cell phones. It was chaotic but better than total paralysis. Critical customer orders were delayed, but we managed to ship small batches by manually checking inventory and hiring couriers.
Every hour of downtime was costing us money and goodwill. Ransomware crews know that every minute a food producer is down, the losses and pressure mount. Food industry margins are tight, and disruptions ripple through the supply chain. That knowledge weighed heavily as the ransom deadline ticked closer.
Uncovering the attackers’ trail
While operations scrambled to cope, our incident responders uncovered evidence that the hackers had stolen a trove of data before locking us out. Some of our internal files had already been posted as “proof” on the dark web. Seeing screenshots of our internal communications was a gut punch. HR records, emails and product formulas — we didn’t know precisely what they had taken, but we had to assume the worst.
Our legal team prepared for the possibility of data breach notifications. Indeed, attackers had accessed file servers containing HR files and specific contracts. Names, addresses and possibly social insurance numbers of staff, as well as some client details, could be among the stolen data. We informed the provincial privacy commissioner and began drafting notification letters.
The ransom note made a typical threat: pay a hefty sum in cryptocurrency or the stolen data would be dumped online. Law enforcement advised us not to pay. Leadership, including the Ganong family, was adamant about not rewarding the criminals.
Fortunately, we had already begun the recovery process. By the time the ransom deadline passed, we had restored many systems from clean backups and rebuilt others. We never officially responded to the ransom demand. The criminals eventually published a chunk of our stolen data, but we were prepared. Our PR team released a carefully worded statement acknowledging a “cybersecurity incident” and potential data exposure.
Internally, we knew it was ransomware and who was behind it. The name “PLAY” will forever leave a bad taste in my mouth. This group had attacked hospitals, schools and now our chocolate factory. We were just another victim – one of at least 84 known incidents in the food and agriculture sector in the first quarter of 2025.
Restoring operations and confidence
Thanks to round-the-clock efforts, we restored most systems within about one week. By early March, Ganong Bros. was largely back to normal, though with some bumps. A few days’ worth of data had to be re-entered manually. Production resumed once we verified that the machinery controllers were clean and free from contamination. Employees cheered when we announced full production was resuming.
We rolled out multi-factor authentication and stricter access controls. We were transparent (to a certain extent) with key partners and customers, explaining that a cyber incident had caused a temporary disruption but was under control. Fortunately, we didn’t lose any major contracts.
This attack hit in late February, after Valentine’s and before Easter production. A worse-timed attack could have been devastating. Even so, the financial hit was significant: incident response, overtime, spoiled inventory and new security investments. The breach cost us hundreds of thousands of dollars. But we were glad we didn’t fund criminals or rely on uncertain promises of data return.
In mid-March, media reports labeled it a ransomware attack. Seeing our name in headlines with words like “hacker” and “ransom” was humbling. But if there’s a silver lining, it’s that our story might help others in the supply chain community.
Reflections and lessons learned
Months later, I realize how lucky we were in some ways — and how unprepared we were in others.
Invest in preventive security. Our network was too flat. We’re now segmenting IT and OT more strictly and deploying better threat detection tools. Legacy systems and lax segmentation were our weaknesses.
Harden remote access and credentials. We’ve enforced multi-factor authentication, minimized remote access and adopted a “zero trust” stance. Phishing awareness training is now mandatory.
Develop an incident response plan. Our old IR plan was basic and untested. We now have detailed ransomware scenarios, backup communication methods and tabletop exercises in place for leadership.
Backup, backup, backup. Our offline backups saved us. We now back up more frequently and test restorations regularly.
Protect the supply chain ecosystem. We’ve shared anonymized lessons with industry peers and tightened vendor security requirements. Cybersecurity is now a standard part of our discussions with partners.
Looking back, I feel a mix of pride, regret and cautious optimism. Pride in how our team rallied. Regret we didn’t act sooner. Optimism because we’re now stronger and better prepared.
Cyber resilience is now as critical to our business as our candy recipes or customer relationships. In the world of supply chains, we can no longer shrug off digital threats. We are all targets. And the risks of not acting are too high.
Our 2025 ransomware ordeal was harrowing. But we survived. We kept the business running. And like tempering chocolate, we emerged from intense heat stronger and more resilient than before.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses