Swedish supermarket chain Coop has closed approximately 500 stores after they were affected by a REvil ransomware attack targeting managed service providers via a supply chain attack.
Last night, the supermarket chain closed its stores after the REvil ransomware gang targeted Managed Service Providers (MSPs) and their customers in a massive supply chain attack via the Kaseya VSA, a unit of control and remote patch management.
Shortly after the attack, Coop published a notice stating that all but five of its stores had been closed after the cash registers stopped working due to an “IT attack” on one of its suppliers.
At this time, many of our stores are temporarily closed. The following stores are NOT affected and are open: The online store at coop.se, stores in Värmland, Oskarshamn, Tabergsdalen, Norrbotten and on Gotland.
One of our suppliers has been affected by a cyber attack and therefore the cash registers are not working. We regret this and do our best to be able to open again soon. – Coop.
In a statement to Bleeping Computer, Coop said the attack was not aimed at them but at their provider Visma Esscom.
Coop first learned of the attack at around 7 p.m. last night when there were problems with the cash registers. causing stores to close. Stores remain closed through Saturday while Coop works to restore operations.
“We received signals from some of our stores last night around 7pm that there were problems with the cash registers. As customers could not pay, some stores closed early last night. During the night we have worked on the problem, and this At 8 in the morning we made the decision to close the stores, with the exception of some regions that were not affected, in order to solve the problem without interference.
“So not all of our 800 stores were affected, but most of them. They have been closed all day today, Saturday.”
BBC reporter Joe Tidy more confirmed that Coop had to shut down approximately 500 warehouses due to the ransomware attack.
If you have first-hand information about this attack or information about companies affected by the Kaseya cyberattack, we would love to hear from you. You can contact us confidentially on Signal at +16469613731 or on Wire at @ lawrenceabrams-bc.
Encryption via MSP Supply Chain Attack
Yesterday, REvil ransomware carried out a massive attack via the Kaseya VSA patch and remote management software that encrypted MSPs around the world and their customers.
Coop is a client of the Swedish MSP Visma who manages the supermarket chain’s point of sale system used to feed cash registers and self-checkout kiosks.
Visma confirmed They were affected by the Kaseya cyberattack that allowed REvil ransomware to encrypt its customers’ systems.
“Kaseya, which supplies software for remote control and operation of clients and servers in retail, has been the target of a cyberattack that is currently affecting Visma EssCom and many other companies around the world.”
“The attack results in the Kaseya software that Visma EssCom and many other service providers use in their deliveries to retailers can be used to spread a ransomware virus to customers and servers in customers’ IT environments.”
“The most critical consequence is that stores cannot charge customers when cash registers are infected. The attack on Kaseya was discovered Friday night.”
The attack on Coop is only the first of what will be a long list of victims of this attack.
Visma alone claims that it has 1 million customers, many of whom may have been affected by the REvil ransomware attack yesterday.
In a statement to Bleeping Computer, Kaseya CEO Fred Voccola stated that they know 40 customers affected by the attack.
While this is a small number, it is essential to remember that each of these MSPs could work with hundreds of thousands of companies, making it the most significant ransomware attack ever.
At this time, Kaseya claims that REvil used a vulnerability in its local VSA service to carry out the attack and that a patch would be released soon.