Ransomware Attack on The Coffee Bean & Tea Leaf by INC Ransom Group

Incident Date:

July 13, 2024

World map

Overview

Title

Ransomware Attack on The Coffee Bean & Tea Leaf by INC Ransom Group

Victim

The Coffee Bean & Tea Leaf

Attacker

Inc Ransom

Location

Los Angeles, USA

California, USA

First Reported

July 13, 2024

Ransomware Attack on The Coffee Bean & Tea Leaf by INC Ransom

Company Overview

The Coffee Bean & Tea Leaf, founded in 1963 by Herbert B. Hyman, is a leading coffee and tea chain headquartered in Los Angeles, California. The company operates over 1,000 stores in nearly 30 countries, including the United States, Singapore, Malaysia, and India. Known for its high-quality ingredients and innovative products like the "Original Ice Blended" drink, the company has a strong emphasis on sustainability and corporate responsibility. In 2019, it was acquired by Jollibee Foods Corporation for $650 million.

Attack Overview

Recently, The Coffee Bean & Tea Leaf fell victim to a ransomware attack orchestrated by the notorious INC Ransom group. The attackers managed to exfiltrate sensitive data, including contracts, financial records, confidential documents, non-disclosure agreements, and invoices. This breach has put significant confidential business information at risk, highlighting the severe security challenges faced by the company.

About INC Ransom

INC Ransom is a highly sophisticated cybercriminal group known for its targeted ransomware attacks on corporate and organizational networks. The group employs advanced techniques such as spear-phishing campaigns and exploiting vulnerabilities like CVE-2023-3519 in Citrix NetScaler. Their attacks involve double extortion, where they not only encrypt data but also steal it and threaten to release it publicly to increase pressure on victims to comply with ransom demands. Active since 2023, INC Ransom has targeted various industries, including healthcare, education, government entities, and technology companies.

Penetration and Vulnerabilities

While the exact method of penetration in this case remains unclear, INC Ransom typically uses a combination of spear-phishing and exploiting known vulnerabilities to gain initial access. Once inside, they use both Commercial Off-The-Shelf (COTS) software and legitimate system tools for reconnaissance and lateral movement within the network. The Coffee Bean & Tea Leaf's extensive digital footprint and the sensitive nature of its data made it an attractive target for such a sophisticated group.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.