A suspected Ryuk ransomware attack on Recipe Unlimited, a network of some 1,400 restaurants in Canada and North America, has forced the chain to shutdown computers and temporarily close the doors of some of its restaurants while IT teams deal with the attack.
Recipe Unlimited, formerly known as Cara Operations, operates pubs and restaurants under many names, including Harvey’s, Swiss Chalet, Kelseys, Milestones, Montana’s, East Side Mario’s, Bier Markt, Prime Pubs, and the Landing Group of Restaurants. All of the above pub and restaurant brands have been affected by the Recipe Unlimited ransomware attack.
While only a small number of restaurants were forced to close, the IT outage caused widespread problems, preventing the restaurants that remained open from taking card payments from customers and using register systems to process orders.
While it was initially unclear what caused the outage, a ransomware attack on Recipe Unlimited was later confirmed. An employee of one of the affected restaurants provided CBC News with a copy of the ransom note that had appeared on the desktop of one of the affected computers.
The ransom note is the same used by the threat actors behind Ryuk ransomware. They claim files were encrypted with “military algorithms” which cannot be decrypted without a key that is only held by them. While it is unclear exactly how much the attackers demanded in payment to decrypt files, they did threaten to increase the cost by 0.5 BTC (Approx. $4,000 CAD) per day until contact was made. The Recipe Unlimited ransomware attack is understood to have occurred on September 28. Some restaurants remained closed on October 1.
The ransomware attack on Recipe Unlimited is just one of many such attacks involving Ryuk ransomware. The attackers are understood to have collected more than $640,000 in ransom payments from businesses who have had no alternative other than to pay for the keys to unlock their files. The ransomware attack on Recipe Unlimited did not increase that total, as Recipe Unlimited conducted regular backups and expects to be able to restore all systems and data, although naturally that will take some time.
Ransomware attacks on restaurants, businesses, healthcare providers, and cities are extremely common and can be incredibly costly to resolve. The recent City of Atlanta ransomware attack caused widespread disruption due to the sheer scale of the attack, involving thousands of computers.
The cost of resolving the attack, including making upgrades to its systems, is likely to cost in the region of $17 million, according to estimates from city officials. The Ransomware attack on the Colorado Department of Transportation is expected to cost $1.5 million to resolve.
There is no simple solution that will block ransomware attacks, as many different vectors are used to install the malicious file-encrypting software. Preventing ransomware attacks requires defense in depth and multiple software solutions.
Spam filtering solutions should be used to prevent email delivery of ransomware, web filters can be configured to block assess to malicious websites where ransomware is downloaded, antivirus solutions may detect infections in time to block attacks, and intrusion detection systems and behavioral analytics solutions are useful to rapidly identify an attack in progress and limit the harm caused.
All operating systems and software must be kept fully up to date, strong passwords should be used, and end user must receive training to make them aware of the threat from ransomware. They should be taught security best practices and trained how to identify threats. Naturally, robust backup policies are required to ensure that in the event of disaster, files can be recovered without having to pay the ransom.