On February 22, 2025, Ganong Bros. Limited, Canada's oldest candy company founded in 1873 and based in St. Stephen, New Brunswick, was hit by a ransomware attack claimed by the PLAY ransomware group. The attack encrypted critical systems and forced an immediate halt to production at the company's manufacturing facility.
What Happened
The PLAY ransomware group, a Russia-based cybercriminal operation, deployed ransomware across Ganong Bros.' IT infrastructure on the morning of February 22. The attack encrypted servers, workstations, and the industrial control systems that manage the company's chocolate production lines. Employees arriving for shifts found systems locked and production lines unresponsive.
The attackers left ransom notes demanding payment in cryptocurrency in exchange for decryption keys and a promise not to publish stolen data. Ganong Bros. immediately engaged incident response professionals and contacted the RCMP and the Canadian Centre for Cyber Security.
Impact on Operations
The operational impact was severe and immediate:
- Automated mixing and wrapping machines could not function without their digital control systems
- Order management databases were rendered inaccessible, preventing fulfilment of wholesale and retail orders
- Corporate email and communications systems were taken offline
- Supply chain coordination with ingredient suppliers and distributors was disrupted
- The company was forced to send production workers home while systems were being restored
The PLAY Ransomware Group
PLAY (also known as PlayCrypt) is a ransomware operation that has been active since mid-2022. The group is known for targeting mid-sized organizations across North America, particularly in manufacturing, logistics, and professional services. PLAY employs a double-extortion model, exfiltrating sensitive data before encrypting systems and threatening to publish stolen files if the ransom is not paid.
The group typically gains initial access through exposed Remote Desktop Protocol (RDP) services, VPN vulnerabilities, or compromised credentials. Once inside a network, PLAY operators use living-off-the-land techniques and legitimate tools to move laterally before deploying their ransomware payload.
Recovery and Response
Acting on advice from law enforcement and cybersecurity advisors, Ganong Bros. refused to pay the ransom. The company instead restored operations from clean backups, a process that took several weeks. Despite the refusal to pay, the PLAY group followed through on their threat and published stolen company data on their dark web leak site.
The incident prompted Ganong Bros. to undertake a comprehensive security overhaul, including network segmentation between IT and operational technology environments, enhanced backup strategies, and deployment of endpoint detection and response solutions across all systems.
Manufacturing Cybersecurity Lessons
The Ganong Bros. attack underscores a growing trend of ransomware groups targeting Canadian manufacturers, where operational disruption creates immediate financial pressure to pay. CyberSafe recommends that manufacturing organizations take the following steps:
- Segment IT and OT (operational technology) networks to prevent ransomware from reaching production systems
- Maintain offline, tested backups of all critical systems and data
- Implement multi-factor authentication on all remote access points including VPN and RDP
- Deploy endpoint detection and response (EDR) services across both corporate and industrial environments
- Conduct regular tabletop exercises simulating ransomware scenarios specific to manufacturing operations
- Engage a managed security provider for 24/7 monitoring of network activity and threat detection