Play ransomware claims Texas Pete hot sauce maker

Garner Food, manufacturer of the popular Texas Pete hot sauce and other spicy offerings, is claimed by the Play gang on Friday – a reminder that 2026 will likely be another banner year for ransomware attacks.

Play ransomware gang hacks Garner Foods, threatens to publish stolen data in five days.
Compromised information is said to include confidential information, client documents, payroll, and more.
Play is third-most active ransomware gang in 2025 with 364 victims, following a New Year's attack on Esquire Brands, designer of DKNY, Sam Edelman, and Kenneth Cole.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The Play group posted Garner Foods on its dark leak blog Friday morning, giving the leading hot sauce-maker just five days to make contact and pay an undisclose ransom demand before Wednesday, January 7th.

Headquartered in Winston-Salem, NC, the nearly century-old company has been churning out sauces since 1929, selling its products in tens of thousands of supermarkets, military commissaries, and convenience stores nationwide.

Play ransomware attack - Texas Pete hot sauce — Play leak site. Image by Cybernews.

Known for producing the Texas Pete and Green Mountain Gringo Salsa lines, including seasonings, snacks, and merchandise, the company also has robust sales in the food service and restaurant industry.

The onion leak site did not say how much data the ransomware operators have allegedly exfiltrated from the manufacturer’s networks, but it lists categories such as:

Private and personal confidential data
Clients documents
Budget
Payroll
IDs,
Taxes
Finance information

Ransomware attacks and the supply chain

Ransomware attacks on food producers can trigger a slew of pain points across multiple business operations and expose sensitive proprietary information, such as signature recipes that form the backbone of a company’s identity.

Ironically, in a press release last New Year’s Day anouncing a new CEO, Garner also boasted of “upgrading to modern technologies,” including a new ERP system (Enterprise Resource Planning) to integrate business functions – HR, finance, supply chain, etc. – on one platform.

In addition to potentially impacting daily business operations and compromising customer and employee data, ransomware attacks on food producers can trigger major supply chain disruptions.

This can affect the flow of sales, deliveries, and payments, and, in some cases, lead to product shortages, damaging a company’s reputation with clients, and even cause loyal consumers to switch brands in the long term.

A cyberattack on Dole Food Company in 2023 forced the manufacturer to shut down production at all its North American facilities, causing a lettuce supply shortage at US grocery stores that lasted for weeks.

And last year, a ransomware attack on United Natural Foods, Inc. (UNFI), the leading supplier for Amazon’s Whole Foods in North America and all US Military exchanges, impacted the food supply chain for more than 30,000 retail locations across the US and Canada.

Cybernews had reached out to Garner Foods and is awaiting a response at the time of this report.

Play ransomware gang’s steady stream of attacks

Play ransomware is a major player in the cybercrime underworld, ranked third among the most active ransomware cartels in 2024, and again in 2025, with 364 claimed victims, edged out only by Qilin and the Cl0p gangs.

The Russian-linked cybercriminals have claimed over 1000 victims since it was first observed in 2022, according to the Cybernews Ransomlooker monitoring tool.

Closing out 2025, on New Year’s Eve, the group posted Esquire Brands, a New York-based clothing and footwear manufacturer for DKNY, Sam Edelman, and Kenneth Cole, as its latest catch.

Play - Top 5 ransomware gangs 2025 — Cybernews Ransomlooker tool shows Play as the third-most active ransomware gang in 2025. Qilin is in the top spot, followed by the Cl0p ransomware group. Screenshot taken January 2nd, 2026. Image by Cybernews.

In the second half of 2025, Play nabbed both the US aerospace and defence manufacturer and parts supplier, ADC Aerospace, and Jamco Aerospace, which hold contracts with industry titans, including the US Navy, Boeing, Collins Aerospace, Honeywell, and Northrop Grumman.

Other prominent Play victims over the years include the GrammaTech, a US-based cybersecurity research outfit that works with DARPA, the cloud computing company Rackspace, BMW France, the German hotel chain H-Hotels, and the Ivy League partnered Study Hotels chain.

Last December, Play also claimed the popular Krispy Kreme doughnut shop chain.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

According to an Adlumin profile, Play is thought to be one of the first ransomware groups to use intermittent encryption, in which only certain fixed segments of a system are encrypted.

The method enables faster access to and exfiltration of a victim's data, and other notorious groups have been observed borrowing the tactic, including ALPHV/BlackCat, DarkBit, and BianLian.

Unlock more exclusive Cybernews content on YouTube.