Cyber Incident Victim: Ferrara Candy
Date:
Oct 2021
Location:
United States of America
Summary
Ferrara Candy experienced a ransomware attack disrupting operations shortly before a major seasonal sales period. The company contained the incident by securing systems and initiating an investigation with law enforcement and external experts. While some manufacturing facilities resumed partial production, distribution centers operated near full capacity to fulfill orders, ensuring retail product availability. The attackers encrypted portions of the organization's infrastructure, but Ferrara did not confirm whether a ransom was paid or identify the responsible group. Cybersecurity analysts observed that threat actors increasingly time such attacks during peak business cycles to amplify disruption and extortion leverage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 9, 2021, Ferrara Candy Company—a major Illinois-based confectionery manufacturer producing brands including Nerds, Laffy Taffy, Now and Laters, SweetTarts, Jaw Busters, Nips, Runts, and Gobstoppers—detected and disrupted a ransomware attack that encrypted portions of its operational systems. The company immediately initiated response protocols to secure all systems and launched an investigation to determine the scope and nature of the incident. Ferrara engaged third-party cybersecurity specialists to assist with forensic analysis and system recovery efforts while coordinating with law enforcement authorities. The attack occurred during the critical pre-Halloween production and distribution period, one of the company’s peak seasonal demand cycles. Despite the disruption, Ferrara managed to resume operations at select manufacturing facilities shortly after the incident and maintained near-capacity shipping output from all national distribution centers. The company prioritized clearing its order backlog while assuring retailers and consumers that Halloween candy products had already reached store shelves nationwide before the attack commenced.
Ferrara did not disclose whether it paid a ransom or identify the ransomware group responsible for the attack, which was first reported by the Chicago Tribune and Crain’s Chicago. The incident highlighted a broader trend identified by cybersecurity experts, wherein threat actors deliberately time attacks to coincide with victims’ high-demand seasons—such as Halloween for confectionery manufacturers—to amplify operational disruption and financial pressure, thereby increasing the likelihood of ransom payments. While the encryption of systems caused temporary operational challenges, Ferrara’s containment measures prevented widespread supply chain interruptions, allowing the company to fulfill seasonal commitments without significant reported delays. Restoration efforts focused on methodically validating system integrity before reactivation to ensure safety and stability. No customer data breaches or product safety compromises were referenced in the company’s public statements, which emphasized operational recovery and maintenance of retailer partnerships during the investigation.