{"id":4395,"date":"2025-08-15T11:35:00","date_gmt":"2025-08-15T11:35:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4395"},"modified":"2025-08-15T11:35:00","modified_gmt":"2025-08-15T11:35:00","slug":"caught-in-the-cyber-crosshairs-a-candy-manufacturers-2025-ransomware-ordeal","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4395","title":{"rendered":"Caught in the cyber crosshairs: A candy manufacturer\u2019s 2025 ransomware ordeal"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

I never imagined that a 150-year-old chocolate company could be brought to its knees by a few clicks on a computer. As the head of IT for Ganong Bros.<\/a> \u2014 Canada\u2019s longest-running family-owned candy manufacturer, established in 1873 \u2014 I\u2019ve overseen everything from upgrading our aging inventory systems to keeping the Wi-Fi humming on our factory floor. But nothing prepared me for the morning of February 22, 2025, when a ransomware attack suddenly locked our systems. In that frantic moment, amid the aroma of cocoa and boiling sugar, I realized our sweet operation had turned into a cybersecurity nightmare.<\/p>\n

Discovery in the heart of production<\/h2>\n

It was a bitterly cold Saturday in New Brunswick, and our St. Stephen plant was operating on limited shifts, preparing spring orders. I was at home when I got an early phone call from a production supervisor: \u201cSomething\u2019s wrong \u2014 the computers in packaging froze and there\u2019s a strange message on-screen.\u201d My stomach dropped. Remotely logging in was impossible; our network was unresponsive. I rushed into the facility to find critical servers encrypted and a ransom note blinking on our monitors.<\/p>\n

We later determined the attack had begun earlier, stealthily spreading through our network. By the time we \u201cdiscovered\u201d it on February 22, malicious code had already crippled several systems. Operations ground to a halt \u2014 our automated mixing and wrapping machines were fine mechanically, but without the digital controls and production schedules, we couldn\u2019t safely continue production. Access to our order database and email was cut off. In an instant, our historic chocolate factory was knocked back into the 19th century.<\/p>\n

Standing in the server room, I felt a wave of panic wash over me. Generations of the Ganong family legacy were now on my shoulders, and I feared a faceless criminal group could destroy it in one weekend. I gathered my small IT team, and we immediately enacted our incident response procedures (to the extent we had them documented). Our first step was to disconnect the plant\u2019s networks from the outside world to contain any further spread. We also shut down non-essential systems to prevent further encryption from occurring. It was clear this was a full-blown ransomware incident. It was time to seek professional help.<\/p>\n

Racing to contain the breach<\/h2>\n

By midday, we had contacted a third-party cybersecurity incident response firm and our legal counsel. Within hours, external incident responders were on-site at our candy factory, reviewing logs and isolated disk images. Alarms were still blaring from production lines that had been abruptly halted, creating an eerie backdrop to the forensic work.<\/p>\n

Our team worked side by side with the experts throughout that weekend, trying to trace the intruder\u2019s footsteps. The initial findings were sobering: the attackers had likely been lurking in our network for days, if not weeks. There were no smashed windows or broken locks in cyberspace, but signs pointed to a phishing email or stolen password as the culprit. We would later learn that 76% of cyberattacks on food manufacturers begin with phishing emails, and I wouldn\u2019t be surprised if we became part of that statistic.<\/p>\n

Our containment efforts focused on two urgent fronts: preventing further damage and assessing the extent of the compromise. We reset every employee\u2019s password and applied emergency patches on unaffected systems. We also set up a basic isolated network, allowing plant managers to communicate and begin planning manual workarounds. The forensic team began analyzing the ransomware strain and its signatures. This looked like the work of the \u201cPLAY\u201d ransomware collective, a crew infamous for double-extortion tactics and believed to operate out of Russia<\/a>.<\/p>\n

That revelation sent a chill down my spine. We weren\u2019t dealing with random pranksters \u2013 this was a professional extortion crew. A week or two later, the PLAY gang publicly claimed responsibility. At the time, though, we kept that knowledge within the incident team. Our priority was to restore operations and assess our exposure.<\/p>\n

Production at a standstill<\/h2>\n

Walking into the main factory floor that Saturday afternoon was one of the most challenging moments. Typically, you\u2019d see a blur of activity \u2014 wrappers spitting out peppermint chocolates, pallets of candies being readied for shipment. Now the lines were silent. Workers stood by idly. I had to announce that a cyber \u201cincident\u201d had occurred and that we needed to pause most work until systems could be brought back safely.<\/p>\n

We soon resorted to old-school, manual processes. By Monday, with many office systems still down, plant managers were using paper forms and personal cell phones. It was chaotic but better than total paralysis. Critical customer orders were delayed, but we managed to ship small batches by manually checking inventory and hiring couriers.<\/p>\n

Every hour of downtime was costing us money and goodwill. Ransomware crews know that every minute a food producer is down, the losses and pressure mount. Food industry margins are tight, and disruptions ripple through the supply chain. That knowledge weighed heavily as the ransom deadline ticked closer.<\/p>\n

Uncovering the attackers\u2019 trail<\/h2>\n

While operations scrambled to cope, our incident responders uncovered evidence that the hackers had stolen a trove of data before locking us out. Some of our internal files had already been posted as \u201cproof\u201d on the dark web. Seeing screenshots of our internal communications was a gut punch. HR records, emails and product formulas \u2014 we didn\u2019t know precisely what they had taken, but we had to assume the worst.<\/p>\n

Our legal team prepared for the possibility of data breach notifications. Indeed, attackers had accessed file servers containing HR files and specific contracts. Names, addresses and possibly social insurance numbers of staff, as well as some client details, could be among the stolen data. We informed the provincial privacy commissioner and began drafting notification letters.<\/p>\n

The ransom note made a typical threat: pay a hefty sum in cryptocurrency or the stolen data would be dumped online. Law enforcement advised us not to pay. Leadership, including the Ganong family, was adamant about not rewarding the criminals.<\/p>\n

Fortunately, we had already begun the recovery process. By the time the ransom deadline passed, we had restored many systems from clean backups and rebuilt others. We never officially responded to the ransom demand. The criminals eventually published a chunk of our stolen data, but we were prepared. Our PR team released a carefully worded statement acknowledging a \u201ccybersecurity incident\u201d and potential data exposure.<\/p>\n

Internally, we knew it was ransomware and who was behind it. The name \u201cPLAY\u201d will forever leave a bad taste in my mouth. This group had attacked hospitals, schools and now our chocolate factory. We were just another victim \u2013 one of at least 84 known incidents in the food and agriculture sector<\/a> in the first quarter of 2025.<\/p>\n

Restoring operations and confidence<\/h2>\n

Thanks to round-the-clock efforts, we restored most systems within about one week. By early March, Ganong Bros. was largely back to normal, though with some bumps. A few days\u2019 worth of data had to be re-entered manually. Production resumed once we verified that the machinery controllers were clean and free from contamination. Employees cheered when we announced full production was resuming.<\/p>\n

We rolled out multi-factor authentication and stricter access controls. We were transparent (to a certain extent) with key partners and customers, explaining that a cyber incident had caused a temporary disruption but was under control. Fortunately, we didn\u2019t lose any major contracts.\u00a0<\/p>\n

This attack hit in late February, after Valentine\u2019s and before Easter production. A worse-timed attack could have been devastating. Even so, the financial hit was significant: incident response, overtime, spoiled inventory and new security investments. The breach cost us hundreds of thousands of dollars. But we were glad we didn\u2019t fund criminals or rely on uncertain promises of data return.<\/p>\n

In mid-March, media reports labeled it a ransomware attack. Seeing our name in headlines with words like \u201chacker\u201d and \u201cransom\u201d was humbling. But if there\u2019s a silver lining, it\u2019s that our story might help others in the supply chain community.<\/p>\n

Reflections and lessons learned<\/h2>\n

Months later, I realize how lucky we were in some ways \u2014 and how unprepared we were in others.\u00a0<\/p>\n

Invest in preventive security.<\/strong> Our network was too flat. We\u2019re now segmenting IT and OT more strictly and deploying better threat detection tools. Legacy systems and lax segmentation were our weaknesses<\/a>.\u00a0<\/p>\n

Harden remote access and credentials.<\/strong> We\u2019ve enforced multi-factor authentication, minimized remote access and adopted a \u201czero trust\u201d stance. Phishing awareness training is now mandatory.\u00a0<\/p>\n

Develop an incident response plan.<\/strong> Our old IR plan was basic and untested. We now have detailed ransomware scenarios, backup communication methods and tabletop exercises in place for leadership.\u00a0<\/p>\n

Backup, backup, backup.<\/strong> Our offline backups saved us. We now back up more frequently and test restorations regularly.\u00a0<\/p>\n

Protect the supply chain ecosystem.<\/strong> We\u2019ve shared anonymized lessons with industry peers and tightened vendor security requirements. Cybersecurity is now a standard part of our discussions with partners.\u00a0<\/p>\n

Looking back, I feel a mix of pride, regret and cautious optimism. Pride in how our team rallied. Regret we didn\u2019t act sooner. Optimism because we\u2019re now stronger and better prepared.\u00a0<\/p>\n

Cyber resilience is now as critical to our business as our candy recipes or customer relationships. In the world of supply chains, we can no longer shrug off digital threats. We are all targets. And the risks of not acting are too high.<\/p>\n

Our 2025 ransomware ordeal was harrowing. But we survived. We kept the business running. And like tempering chocolate, we emerged from intense heat stronger and more resilient than before.\u00a0<\/p>\n\n

This article is published as part of the Foundry Expert Contributor Network.<\/strong>
<\/strong>Want to join?<\/strong><\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

I never imagined that a 150-year-old chocolate company could be brought to its knees by a few clicks on a computer. As the head of IT for Ganong Bros. \u2014 Canada\u2019s longest-running family-owned candy manufacturer, established in 1873 \u2014 I\u2019ve overseen everything from upgrading our aging inventory systems to keeping the Wi-Fi humming on our […]<\/p>\n","protected":false},"author":0,"featured_media":4396,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4395","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4395"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4395"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4395\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4396"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}