STOCKHOLM – One of the largest ransomware attacks in history spread across the world on Saturday, forcing the Swedish supermarket chain Coop to close its 800 stores because it couldn’t operate its cash registers.
The closure of the major food retailer followed Friday’s unusually sophisticated attack on US technology provider Kaseya. The ransomware gang known as REvil is suspected of hijacking Kaseya’s desktop management tool, VSA, and releasing a malicious update infecting technology management providers serving thousands of businesses.
Huntress Labs, one of the first to sound the alarm about the wave of infections in supplier customers, said on Saturday that thousands of small businesses could have been affected.
Miami-based Kaseya said he was working with the FBI and that only about 40 of his clients were directly affected. He did not comment on how many of them were vendors who, in turn, spread the malicious software to others.
In a statement late Saturday, the FBI said it was investigating in coordination with the US Cybersecurity and Infrastructure Security Agency.
“We encourage everyone who may be affected to use the recommended mitigations and for users to follow Kaseya’s instructions to immediately shut down the VSA servers,” the agency said.
The affected companies had encrypted files and emails were left requesting ransom payments of thousands or millions of dollars.
Some experts said the timing of the attack, on Friday before a long holiday weekend in the United States, was aimed at spreading it as quickly as possible while employees were away from work.
“What we’re seeing now in terms of casualties is probably just the tip of the iceberg,” said Adam Meyers, senior vice president at security company CrowdStrike.
President Joe Biden said on Saturday that he ordered US intelligence agencies to investigate who was behind the attack.
According to Coop, one of Sweden’s largest supermarket chains, a tool used to remotely update its cash registers was affected by the attack, so payments could not be accepted.
“We have been troubleshooting and restoring all night, but we have communicated that we will have to keep the stores closed today,” Coop spokeswoman Therese Knapp told Swedish television.
Swedish news agency TT said Kaseya’s technology was used by Swedish company Visma Esscom, which manages servers and devices for several Swedish companies.
State rail services and a chain of pharmacies were also disrupted.
“They have been beaten to varying degrees,” Visma Esscom CEO Fabian Mogren told TT.
Defense Minister Peter Hultqvist told Swedish television that the attack was “very dangerous” and showed how companies and state agencies needed to improve their preparedness.
“In a different geopolitical situation, it may be government actors who attack us in this way to shut down society and create chaos,” he said. (Reporting by Johan Ahlander, Joseph Menn, and Trevor Hunnicutt; Additional reporting by Ann Maria Shibu; Editing by Kevin Liffey, Daniel Wallis, and David Gregorio)