RansomHub Targets Savannah Candy Kitchen in Ransomware Attack

A ransomware attack targeting Savannah Candy Kitchen, a prominent U.S. company in the Agriculture and Food Production sector, was exposed on September 21, 2024. Known for its Southern confections such as pralines, divinity, and pecan pies, the company has become the latest victim of a data breach. The leaked data reportedly includes information from 16 users, though specific personal details were redacted for privacy. The ransomware leak page shared screenshots of internal company documents, providing a glimpse into sensitive business information while maintaining some level of discretion. Savannah Candy Kitchen, which prides itself on offering a wide variety of sweets and corporate gift baskets, has now been pulled into the broader ransomware landscape. The leak coincides with the discovery of the breach, signaling prompt awareness by cybersecurity monitors. Although the dark web post highlights ransom negotiations, it refrains from revealing personal user details, underscoring the attackers’ focus on extortion rather than widespread data exposure.

About Savannah Candy Kitchen

Savannah Candy Kitchen is a well-established candy manufacturer based in Savannah, Georgia. The company specializes in handmade Southern confections, including its famous pralines, fudge, and other gourmet treats. It operates from a facility that spans over 4,200 square feet, emphasizing the use of natural and local ingredients in its products. As a family-owned business, it has built a reputation for quality and tradition in the confectionery industry. The company is recognized as one of the largest candy producers in the Southeast, which contributes to its standout status in the market due to its unique offerings and commitment to craftsmanship. Savannah Candy Kitchen employs approximately 35 individuals, making it a small to medium-sized enterprise within the food and beverage sector. The company reported an annual revenue of about $17.4 million in 2024, reflecting its successful operations and strong market presence.

RansomHub: The Ransomware Group

RansomHub, a Ransomware-as-a-Service (RaaS) group, first appeared in February 2024. It quickly carved a place in the ransomware landscape by adopting a highly adaptable and aggressive affiliate model. Its primary aim is financial gain, achieved through a combination of double extortion—encrypting victims' data and exfiltrating sensitive information for additional leverage in ransom demands. RansomHub is renowned for its speed and efficiency. Its ransomware is optimized to encrypt large datasets quickly while targeting a wide range of cross-platform systems (Windows, Linux, and ESXi). By exploiting vulnerabilities in other ransomware groups and leveraging their affiliates' expertise, RansomHub built an agile and formidable operation. The group’s operations surged in August 2024, listing over 210 victims on its leak site.

Attack Overview

The ransomware attack on Savannah Candy Kitchen was exposed on September 21, 2024. The leaked data reportedly includes information from 16 users, though specific personal details were redacted for privacy. The ransomware leak page shared screenshots of internal company documents, providing a glimpse into sensitive business information while maintaining some level of discretion. The attack highlights the vulnerabilities of small to medium-sized enterprises in the food and beverage sector, which may lack the robust cybersecurity measures of larger corporations. RansomHub’s tactics, including exploiting unpatched systems and leveraging phishing campaigns, likely played a role in penetrating Savannah Candy Kitchen’s defenses.

Sources

• Savannah Candy Kitchen
• Explore Georgia
• RocketReach
• TripAdvisor
• Visit Savannah