Ransomware attack on Blue Yonder disrupts retailers ahead of holidays

A ransomware attack against software provider Blue Yonder last week has caused disruptions at several grocery stores and retailers, including Starbucks and two major UK grocery chains.

Blue Yonder, which provides supply chain management services to more than 3,000 organizations around the globe, confirmed on Friday that its managed services hosted environment was affected by a ransomware incident a day earlier on Nov. 21.

UK grocers Sainsbury and Morrisons told CNN Sunday that were working on mitigating the effects of the software outage that resulted from the attack, and The Wall Street Journal reported Monday that Starbucks was also dealing with disruptions due to the ransomware incident, including by using manual methods to manage baristas’ schedules and pay.

Blue Yonder counts several Fortune 500 companies, grocery stores, retailers, manufacturers and distributors among its customers, although it remains unclear exactly which other customers will be impacted by outages going into the U.S. holiday weekend and Black Friday shopping event.

“This attack was likely calculated as the hackers are aware that the Thanksgiving holiday is approaching and disruptions in the supply chain will leave many grocery stores in the U.S. with empty shelves at the worst possible time,” Dan Lattimer, vice president of Semperis, told SC Media. “While details on the specifics of the Blue Yonder attack are scant, it is yet another reminder how damaging supply chain disruptions become when suppliers are taken offline.”

Lattimer noted that the holidays are especially opportune time for ransomware threat actors to strike, not only due to the impact on holiday sales, but also due to the fact that 90% of organizations in the U.S. and 81% of UK organizations have up to 50% fewer security staff available during holidays and weekends, as revealed in Semperis’ 2024 Ransomware Holiday Risk Report published last week. Semperis’ study also found that 86% of ransomware victims are targeted on holidays and weekends, when defenses are more likely to be lowered.

Blue Yonder’s latest update on recovery efforts, published on Nov. 24, stated that the company continues to work “around the clock” on its recovery efforts and investigation into the attack but does not have an estimated timeline for when services will be restored. The company has engaged external cybersecurity firms in its restoration efforts, with CNN reporting that Crowdstrike was one of the companies assisting in recovery.

Blue Yonder also noted there was no suspicious activity observed on its Azure public cloud environment but that it continues to actively monitor the environment. No ransomware group has yet claimed responsibility for the attack and it is unclear if any data was exfiltrated by the attackers.

How companies can increase resilience to supply chain attacks

The Blue Yonder incident is yet another example of a major software supply chain disruption affecting several customers, demonstrating the importance of preparing for and building resilience to such attacks.

“Supply chain attacks are particularly challenging due to vendors being so deeply integrated into organizations. Therefore, prioritizing the security of not only your own IT infrastructure but also the access and credentials of third-party vendors becomes essential,” Nick Tausek, lead security automation architect at Swimlane, told SC Media. “Leveraging automated platforms to centralize incident detection and breach reporting can help organizations efficiently respond to threats.”

Organizations should make efforts to isolate critical systems in order to reduce the sprawl of any attack, including infections of third-party software on a company’s systems, noted Dispersive Vice President Lawrence Pingree.

“One benefit of isolation of systems is that companies can readily avoid many negative affects such as lateral movement (often part of ransomware attacks). In the past these have been called DMZs [demilitarized zones]; today micro-segmentation is popular for reducing the risks of lateral movement, along with living off the land detection in EDR tools,” Pingree told SC Media. “But the best way to protect from lateral movement is to isolate systems and enhance authentication with MFA.”

With the impact these types of attacks can have on business continuity, it is also important for organizations to include resiliency and recovery plans in their third-party supply chain risk management strategy.

“While these supply chain attacks typically focus on data security and privacy concerns, organizations should approach these incidents with a broader focus on cyber resiliency, considering how these attacks impact their ability to serve customers and recover business operations,” SecurityScorecard CISO Steve Cobb said in an email to SC Media. “Organizations must consider this a wake-up call to enhance proactive security measures, including their third-party providers. A robust approach includes continuous monitoring and comprehensive visibility across the supply chain risk.”

KnowBe4 Security Awareness Advocate Martin J. Kraemer also emphasized the importance of robust incident response (IR) plans for third-party software outages, saying “detailed procedures for alternative processes and clear communication paths to keep staff informed and operations running” should be in place ahead of time.

“Organizations cannot predict every third-party failure, but fostering a culture of preparedness through simulations and drills that mimic SaaS outages can build staff readiness and reduce operational downtime during actual events,” McQuiggan told SC Media. “The multi-complex nature of SaaS networks requires IR planning to include proactive coordination and ensure business continuity to reduce the risk of downtime or disruption to the business in the face of third-party disruptions.”