Coop supermarket closes hundreds of stores after Kaseya supply chain ransomware attack
by Pierluigi Paganini
Swedish supermarket chain Coop is the first company to disclose the impact of the recent supply chain ransomware attack that hit Kaseya.
The supermarket chain Coop shut down approximately 500 stores as a result of the supply chain ransomware attack that hit the provider Kaseya.
The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.
“We first noticed problems in a small number of stores on Friday evening around 6:30pm so we closed those stores early. Then overnight we realised it was much bigger and we took the decision not to open most of our stores this morning so that our teams could work out how to fix it.” a spokeswoman for Coop Sweden told the BBC.
“The whole paying system at our tills and our self-service checkouts stopped working so we need time to reboot the system.”
The investigation is still ongoing, according to security firm Huntress Labs at least 200 organizations have been impacted, making this incident, one of the largest ransomware attack in history.
At the time of this writing, at least 20 MSPs have been compromised as part of this supply-chain attack, but experts believe that the attack might have impacted thousands of companies across the world.
After the attack, Coop posted a notice to inform customers of the problems that were caused by an “IT attack” on one of their suppliers.
“During Friday evening, July 2, Coop was hit by major IT disruptions that affected our cash registers in stores. This is part of a larger global event aimed at the American software company Kaseya. Several other Swedish and international companies have been affected by the same event. We regret the situation and we are working intensively to solve the problems as soon as possible. A majority of Coop’s stores have not been open on Saturday 3 July, but the hope is that more stores will be able to open on Sunday 4 July. Our stores in Värmland, Norrbotten, Oskarshamn, Tabergsdalen, Gotland and Varberg are still open. You can also shop as usual on coop.se and have goods delivered according to the delivery options available where you live.” reads the notice published by the company.
Coop doesn’t use Kesaya software, anyway, it was impacted by the incident because one of their software providers does.
According to BleepingComputer, the impacted provider is the Swedish MSP Visma who manages the payment systems for the supermarket chain.
Visma confirmed they were affected by the Kaseya cyber attack that allowed the REvil ransomware to encrypt their customer’s systems.
“The attack results in the Kaseya software that Visma EssCom and many other service providers use in their deliveries to retailers can be used to spread a ransomware virus to clients and servers in customers’ IT environments.” reads a statement from Visma. “The most critical consequence is that stores cannot charge their customers when the cash registers are infected. The attack on Kaseya was discovered on Friday night. Visma has mobilized all available resources to, together with our partners and security consultants, assist those affected.”
The The attack on Coop is just the first in what will be a long list of victims from this attack.
Considering that Visma has roughly 1 million customers, likely the supply chain attack may have impacted the infrastructure of many other companies.
About the Author:
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.
The article originally published at: https://securityaffairs.co/wordpress/119663/cyber-crime/coop-supermarket-kaseya-ransomware-attack.html.