Recipe Unlimited denies ransomware attack, despite alleged ransom note

Recipe Unlimited, which operates 19 franchise restaurant brands, must think that claiming to be a victim of a “malware outbreak” sounds better than saying it was a victim of a ransomware attack. Nevertheless, nine of its restaurant brands were impacted by the attack, and some have even closed as the bitcoin ransom demand total grows higher each day.

Corporate said that after the attack (“malware outbreak”), which happened on Friday, Sept. 28, it tried to stop the spread of the ransomware by taking several of its systems offline and suspending internet access to affected locations.

That, in turn, resulted in some restaurants completely closing up shop because – in the words of a note taped to East Side Mario’s – “the head office computer was hacked.” The full note posted on Sept. 30 stated, “Due to a computer issue with Head Office we are closed for the day.” Smaller handwritten info included: “That is 1,400 of our restaurants closed for the day. The head office computer was hacked.”

In total, nine Recipe Unlimited restaurant brands were impacted by the attack: Swiss Chalet, Harvey’s, Milestones, Kelseys, Montana’s, Bier Markt, East Side Mario’s, The Landing Group of Restaurants, and Prime Pubs brands.

If you are unfamiliar with those restaurants, it might be because 1,318 of all 1,379 Recipe Unlimited restaurants are located in Canada. At any rate, the impacted restaurants that did not temporarily close were not able to accept credit or debit transactions.

Ransom increases daily

Despite the company avoiding the words “ransomware attack,” CBC reported seeing the ransom note, which “informs Recipe Unlimited that ‘there is a significant hole in the security of your company’ and that ‘we’ve easily penetrated your network.’”

Instead of being a fixed price, the ransom demand increases every day. The note states, “The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC.”

As of the time of writing, .5 bitcoin was equal to $3,224.58. If the countdown started on Friday and today is Wednesday, that total ransom demand for six days has jumped up to $19,347.

If Recipe Unlimited opts to pay the ransom, the attackers’ note promised to give the “decrypted data back,” as well as instructions for “how to close the hole in security” and “avoid such problems in the future.”

Recipe Unlimited, however, denied to CBC that it was being held ransom. In a press release, the company claims, “We maintain appropriate system and data security measures and as per standard operating procedures, conduct regular system back-ups to enable us to restore impacted systems.” It is working “with third-party security experts and internal teams to resolve the situation as quickly and effectively as possible.”

As for the ransom demand, Recipe Unlimited claims it was “a ‘generic’ statement associated with a virus called Ryuk and that exact copies of the ransom note can be found via a Google search.”

While detailing a targeted Ryuk ransomware campaign, Check Point Research posted two version of the Ryak ransom note. As of August, Check Point believes the attackers had racked up $640,000 from ransoms. The security firm believes the Ryak and Hermes ransomware were related and wondered about the connection to North Korean Lazarus Group attackers.

As for concerned employees with no clue what is happening or if their data is in the hands of hackers, Recipe Unlimited claimed, “We have no indication that this limited malware incident has resulted in any data breach.”

Key takeaways might include the obvious: Make sure you have recent offsite backups, as well as man up if you are hit with a ransomware attack instead of trying to claim it is a “malware outbreak,” which led to the temporary closing of some businesses. The truth will come out sooner or later, so lying won’t help in the long run.