Pierluigi Paganini July 04, 2021

Swedish supermarket chain Coop is the first company to disclose the impact of the recent supply chain ransomware attack that hit Kaseya.

The supermarket chain Coop shut down approximately 500 stores as a result of the supply chain ransomware attack that hit the provider Kaseya.

The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.

“We first noticed problems in a small number of stores on Friday evening around 6:30pm so we closed those stores early. Then overnight we realised it was much bigger and we took the decision not to open most of our stores this morning so that our teams could work out how to fix it.” a spokeswoman for Coop Sweden told the BBC.

“The whole paying system at our tills and our self-service checkouts stopped working so we need time to reboot the system.”

The investigation is still ongoing, according to security firm Huntress Labs at least 200 organizations have been impacted, making this incident, one of the largest ransomware attack in history.

At the time of this writing, at least 20 MSPs have been compromised as part of this supply-chain attack, but experts believe that the attack might have impacted thousands of companies across the world.

After the attack, Coop posted a notice to inform customers of the problems that were caused by an “IT attack” on one of their suppliers.

“During Friday evening, July 2, Coop was hit by major IT disruptions that affected our cash registers in stores. This is part of a larger global event aimed at the American software company Kaseya. Several other Swedish and international companies have been affected by the same event. We regret the situation and we are working intensively to solve the problems as soon as possible. A majority of Coop’s stores have not been open on Saturday 3 July, but the hope is that more stores will be able to open on Sunday 4 July. Our stores in Värmland, Norrbotten, Oskarshamn, Tabergsdalen, Gotland and Varberg are still open. You can also shop as usual on coop.se and have goods delivered according to the delivery options available where you live.” reads the notice published by the company.

Coop doesn’t use Kesaya software, anyway, it was impacted by the incident because one of their software providers does.

According to BleepingComputer, the impacted provider is the Swedish MSP Visma who manages the payment systems for the supermarket chain.

Visma confirmed they were affected by the Kaseya cyber attack that allowed the REvil ransomware to encrypt their customer’s systems.

“The attack results in the Kaseya software that Visma EssCom and many other service providers use in their deliveries to retailers can be used to spread a ransomware virus to clients and servers in customers’ IT environments.” reads a statement from Visma. “The most critical consequence is that stores cannot charge their customers when the cash registers are infected. The attack on Kaseya was discovered on Friday night. Visma has mobilized all available resources to, together with our partners and security consultants, assist those affected.”

The The attack on Coop is just the first in what will be a long list of victims from this attack.

Considering that Visma has roughly 1 million customers, likely the supply chain attack may have impacted the infrastructure of many other companies.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, LinkedIn)

[adrotate banner=”5″]

[adrotate banner=”13″]