Cyber Incident Victim: Essendant
Date:
Mar 2023
Location:
United States of America
Summary
The Essendant wholesale distributor experienced a significant network outage caused by a LockBit ransomware attack, disrupting online order placement, fulfillment, and customer service communications. The incident halted shipments and prompted suppliers to withhold deliveries, frustrating customers and employees who speculated about a breach amid prolonged operational paralysis. LockBit claimed responsibility days after the outage began, taunting the company about its recovery efforts, while initial public statements referred only to a generic network disruption. The organization later confirmed the ransomware intrusion as the root cause, undertaking system cleanup procedures to restore operations during a multi-day recovery period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 6, 2023, Essendant, a wholesale distributor of office products, experienced a significant network outage that disrupted operations. The outage prevented customers from placing or fulfilling online orders and impeded communication with customer care representatives. Freight carriers were instructed to halt pick-ups indefinitely, while suppliers were advised to withhold shipments due to the unavailability of essential systems. The disruption persisted for multiple days, generating operational paralysis and widespread frustration among customers and partners. Employees and clients privately speculated about a potential ransomware attack, though Essendant’s initial public communications referred only to a generic "network outage" without acknowledging malicious activity. By March 9, social media complaints highlighted the outage’s severity, with customers unable to perform their jobs and criticizing the company’s lack of transparency.
The LockBit ransomware gang claimed responsibility for the attack on March 14, publishing Essendant’s name on its data leak site alongside a taunting message urging the company to "Change a recovery company and try again." This announcement coincided with Essendant’s revised status update, which acknowledged ongoing recovery efforts, including a system "clean-up" nearing completion, yet continued to attribute disruptions to a "network outage." Only after LockBit’s claim did Essendant confirm on March 17 that the incident stemmed from a ransomware attack. The prolonged outage mirrored patterns observed in prior LockBit operations, including attacks on Royal Mail in February 2023 (which disrupted international shipping) and Dish Network (which suffered multi-day outages preceding ransomware confirmation). LockBit had similarly claimed responsibility for network disruptions at InterContinental Hotels Group in September 2022 after initial ambiguity from the victim organization. Essendant’s delayed public acknowledgment of ransomware hindered stakeholders’ ability to assess risks or implement contingent measures during the outage.