Ransomware Attack on Southwest Traders by BlackSuit Group

Southwest Traders, a prominent foodservice distributor based in Temecula, California, has recently fallen victim to a ransomware attack orchestrated by the cybercriminal group known as BlackSuit. The attack, which targeted the company's website, southwesttraders.com, was discovered on July 7, 2024, and has compromised a significant amount of sensitive data.

About Southwest Traders

Founded in 1977, Southwest Traders has grown into a key player in the foodservice distribution industry, generating an annual revenue of $362.9 million. The company employs approximately 208 people and operates from its headquarters in Temecula, California. Southwest Traders specializes in providing a comprehensive range of foodservice products and innovative supply chain solutions to various establishments, including quick-service restaurants, yogurt shops, ice cream shops, coffee shops, smoothie bars, schools, and boba tea shops. Their business model emphasizes being a one-stop shop for customers, which allows them to streamline operations and enhance efficiency for their partners in the foodservice industry.

Attack Overview

The ransomware attack by BlackSuit has compromised various critical directories, including audit documents, financial records, customer contracts, and internal SOPs. The breach exposed files related to the company's audits, financials, HR documents, and business continuity plans. The attackers potentially accessed and encrypted a vast array of files, totaling over 133 billion bytes, and left the company with over 10 trillion bytes of free space compromised. Notably, the breach included signed NDAs with various partners, such as Tutti Frutti and Philz. The company's President, Terry Walsh, and President of Finance, Keegan Smith, are currently overseeing the response to this cyber incident.

About BlackSuit Ransomware Group

BlackSuit is a new ransomware family that emerged in 2023 and appears to be closely related to the notorious Royal ransomware group. The ransomware targets both Windows and Linux systems, including VMware ESXi servers. It appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory. The ransom note includes a reference to a Tor chat site where victims can contact the operators. Researchers have found significant similarities between BlackSuit and Royal ransomware, suggesting that BlackSuit is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang.

Potential Vulnerabilities

Southwest Traders' extensive digital infrastructure and the sensitive nature of the data they handle made them an attractive target for threat actors like BlackSuit. The company's reliance on digital systems for managing supply chains, customer contracts, and financial records may have presented vulnerabilities that the attackers exploited. The breach underscores the importance of stringent cybersecurity measures, especially for companies handling large volumes of sensitive data.

• Southwest Traders
• Security Affairs
• Bleeping Computer
• LinkedIn - Southwest Traders Inc.