Southwest Traders Hit by BlackSuit Ransomware, Data Compromised

Incident Date:

August 31, 2024

World map

Overview

Title

Southwest Traders Hit by BlackSuit Ransomware, Data Compromised

Victim

Southwest Traders

Attacker

Black Suit

Location

Stockton, USA

California, USA

First Reported

August 31, 2024

Ransomware Attack on Southwest Traders by BlackSuit Group

Southwest Traders, a prominent foodservice distributor based in Temecula, California, has recently fallen victim to a ransomware attack orchestrated by the cybercriminal group known as BlackSuit. The attack, which targeted the company's website, southwesttraders.com, was discovered on July 7, 2024, and has compromised a significant amount of sensitive data.

About Southwest Traders

Founded in 1977, Southwest Traders has grown into a key player in the foodservice distribution industry, generating an annual revenue of $362.9 million. The company employs approximately 208 people and operates from its headquarters in Temecula, California. Southwest Traders specializes in providing a comprehensive range of foodservice products and innovative supply chain solutions to various establishments, including quick-service restaurants, yogurt shops, ice cream shops, coffee shops, smoothie bars, schools, and boba tea shops. Their business model emphasizes being a one-stop shop for customers, which allows them to streamline operations and enhance efficiency for their partners in the foodservice industry.

Attack Overview

The ransomware attack by BlackSuit has compromised various critical directories, including audit documents, financial records, customer contracts, and internal SOPs. The breach exposed files related to the company's audits, financials, HR documents, and business continuity plans. The attackers potentially accessed and encrypted a vast array of files, totaling over 133 billion bytes, and left the company with over 10 trillion bytes of free space compromised. Notably, the breach included signed NDAs with various partners, such as Tutti Frutti and Philz. The company's President, Terry Walsh, and President of Finance, Keegan Smith, are currently overseeing the response to this cyber incident.

About BlackSuit Ransomware Group

BlackSuit is a new ransomware family that emerged in 2023 and appears to be closely related to the notorious Royal ransomware group. The ransomware targets both Windows and Linux systems, including VMware ESXi servers. It appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory. The ransom note includes a reference to a Tor chat site where victims can contact the operators. Researchers have found significant similarities between BlackSuit and Royal ransomware, suggesting that BlackSuit is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang.

Potential Vulnerabilities

Southwest Traders' extensive digital infrastructure and the sensitive nature of the data they handle made them an attractive target for threat actors like BlackSuit. The company's reliance on digital systems for managing supply chains, customer contracts, and financial records may have presented vulnerabilities that the attackers exploited. The breach underscores the importance of stringent cybersecurity measures, especially for companies handling large volumes of sensitive data.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.