Cyber Incident Victim: Edward Don
Date:
Jun 2021
Location:
United States of America
Summary
A major foodservice equipment and supplies distributor suffered a ransomware attack disrupting business operations, including phone systems, network infrastructure, and corporate email services. The incident forced employees to use personal Gmail accounts for urgent customer communications and halted new order processing, causing significant supply chain impacts for hospitals, restaurants, and hospitality sectors. While the specific ransomware operation remained unconfirmed, analysis suggested potential initial compromise via Qbot malware, historically linked to ransomware groups including REvil, which could facilitate lateral movement, data theft, and encryption payload deployment across the network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 7, 2021, Edward Don and Company, a leading distributor of foodservice equipment and supplies, experienced a ransomware attack that disrupted critical business operations. The incident impacted the company’s phone systems, network infrastructure, and email communications, forcing employees to rely on personal Gmail accounts for urgent customer communications regarding order fulfillment. Internal sources confirmed the inability to process new orders until systems were restored, creating immediate logistical challenges for hospitals, restaurants, hotels, and bars dependent on Edward Don’s supply chain. The company did not publicly acknowledge the attack at the time of reporting, though operational disruptions were evident to customers and partners. BleepingComputer verified the attack through employee accounts but received no official response from Edward Don despite outreach attempts. The attack’s timing coincided with a period of heightened ransomware activity targeting critical infrastructure sectors, amplifying concerns about supply chain vulnerabilities.
Advanced Intel CEO Vitali Kremez indicated potential involvement of Qbot malware, based on adversarial visibility into the incident. Qbot, a longstanding malware strain, historically facilitated network access for ransomware groups like ProLock and Egregor, enabling lateral movement, data exfiltration, and ransomware deployment. Following the decline of those groups, the REvil ransomware operation had adopted Qbot’s infrastructure for similar purposes. While no specific ransomware group claimed responsibility for the Edward Don attack, the disruption aligned with established Qbot-affiliated attack patterns. The incident occurred amid high-profile ransomware campaigns against Colonial Pipeline and meat processor JBS, underscoring systemic risks to essential services. Edward Don’s operational paralysis demonstrated the cascading effects of cyberattacks on physical supply chains, though technical details regarding detection methods, containment measures, or data compromise remained undisclosed by the company or investigators.