Ransomware Attack on Youngs Timber & Builders Merchants by BlackSuit Group

Overview of the Attack

Youngs Timber & Builders Merchants, a prominent supplier of building materials and timber products, has fallen victim to a ransomware attack orchestrated by the BlackSuit group. The attack was discovered on June 26, 2024, and has raised significant concerns about the security of the company's data and operations. The exact size of the data breach remains unknown, but the company's estimated revenue is $5.6 million.

About Youngs Timber & Builders Merchants

Youngs Timber & Builders Merchants, operating under the registered company name J H YOUNG LIMITED, is an independent builders' merchant based in Kent. The company specializes in supplying a wide range of high-quality building materials, including timber, decorating supplies, fencing, landscaping products, cladding, doors, roofing, workwear, and plumbing supplies. They cater to both professional builders and DIY enthusiasts, providing essential products for construction, renovation, and home improvement projects.

What sets Youngs Timber & Builders Merchants apart in the industry is their emphasis on customer service and expert advice. Their knowledgeable staff, with real-world experience in the building trades, offer practical guidance to help customers select the right materials and tools for their specific needs. This commitment to customer support has made them a trusted partner for both seasoned contractors and DIY enthusiasts.

Vulnerabilities and Targeting

Despite their strong market presence, Youngs Timber & Builders Merchants' reliance on digital systems for operations and customer service made them vulnerable to cyberattacks. The construction sector, often perceived as less technologically advanced, can sometimes lag in implementing robust cybersecurity measures, making companies like Youngs attractive targets for ransomware groups.

Details of the Ransomware Group: BlackSuit

BlackSuit is a relatively new ransomware family that emerged in 2023 and is closely related to the notorious Royal ransomware group. The ransomware targets both Windows and Linux systems, including VMware ESXi servers. It appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory, directing victims to a Tor chat site for further communication.

Researchers have found significant similarities between BlackSuit and Royal ransomware, with a 98% similarity in functions, 99.5% similarity in code blocks, and 98.9% similarity in jumps. This high degree of similarity suggests that BlackSuit could be a new variant developed by the same authors as Royal, a copycat using similar code, or an affiliate of the Royal ransomware gang with some modifications.

Penetration and Impact

The exact method of penetration used by the BlackSuit group to infiltrate Youngs Timber & Builders Merchants' systems is not yet clear. However, common vectors for such attacks include phishing emails, exploiting unpatched vulnerabilities, and leveraging weak or compromised credentials. Given the sophisticated nature of BlackSuit, it is likely that the attackers used a combination of these methods to gain access to the company's network.

The impact of the attack on Youngs Timber & Builders Merchants could be significant, potentially disrupting their operations, compromising sensitive customer and business data, and damaging their reputation. The company will need to undertake a thorough investigation to understand the full extent of the breach and implement measures to prevent future incidents.

Sources

• Company Information - J H YOUNG LIMITED
• Bleeping Computer - The Week in Ransomware