[German]Co-operative Swedish supermarket chain Coop was forced to close its 800 affiliated stores Friday evening and Saturday after a ransomware attack on a service provider responsible for billing and point-of-sale systems. The whole thing is directly related to the supply chain attack on RRM Kaseya VSA and the follow-up cyber attack on at least eight major US managed service providers (MSPs).
What is known about the Coop-Sweden case
Coop-Sweden is a cooperative Swedish supermarket chain responsible for just over 20% of sales in the sector. A few hours ago, news broke (see, for example, the following tweet from security researcher Kevin Beaumont) that Coop Sweden had closed its 800 retail stores.
In the stores, customers were informed of an IT problem via notices on Saturday.
A statement was later issued by Coop on its website, the original version of which can be seen below. he text says the following:
At the moment many of our stores are temporarily closed. The following stores are NOT affected and are open: the online store on coop.se, stores in Värmland, Oskarshamn, Tabergsdalen, Norrbotten and Gotland.
One of our suppliers is affected by an IT attack and therefore the cash registers are not working. We apologize for this and are doing everything we can to reopen soon.
The only hard information is that one of the "suppliers" is affected by an IT attack. However, Coop-Sweden does not give details. According to various reports, Coop hopes to reopen the stores on Sunday.
Payment service provider Visma EssCom affected
According to my information, the word "supplier" is more likely to be translated as service provider, because it seems to have hit the service provider Visma EssCom, which is responsible for billing and checkout terminals. On its website, the service provider confirms an attack.
Software provider Kaseya hit by global cyber attack affecting retailers
Kaseya, a provider of software for remote management and operation of retail clients and servers, is the target of a cyber attack that is currently affecting Visma EssCom and many other companies worldwide.
The attack allows Kaseya software used by Visma EssCom and many other retail service providers to be used to spread a ransomware virus to clients and servers in customers' IT environments.
The most critical consequence is that retailers cannot charge their customers if their cash registers are infected. The attack on Kaseya was discovered on Friday evening.
Visma mobilized all available resources to help those affected, together with our partners and security consultants.
So, the service provider was already affected by the attack on Kaseya VSA on Friday evening, after which a ransomware was able to spread on their IT systems. This infection could not be resolved until Saturday, which is why no settlements became possible. Colleagues at The Record report here that Fabian Mogren, CEO of Visma Esscom, confirmed to the Swedish press that they are one of Coop's software suppliers and were affected by the Kaseya incident. In addition, an old press release from 2009 shows that Kaseya collaborated with another Coop supplier to develop a wide range of software solutions.
The supply chain attack on Kaseya VSA
This night, I had reported on the supply chain attack on Kaseya VSA by the REvil Ransomware group in the blog post REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP). Using the remote management monitoring (RMM) solution VSA, the group managed to infect at least eight management service providers (MSPs), which provide IT infrastructure to many customers as service providers, with ransomware. The ransomware came as an update to the VSA management solution and resulted in the MSPs being blocked from administrative access to VSA servers. Subsequently, the IT systems were encrypted by the REvil ransomware.
This affected at least 200 companies that were customers of these MSPs. Sounds all so distant, as this affected mostly US companies – the timing is ideal, as July 4 is Independence Day in the US. However, after my post of the article linked above on the REvil ransomware attack, I have had administrators reporting in Facebook groups that have the Kyseya VSA solution in use. However, according to information so far, the VSA servers were shut down quickly enough before the REvil ransomware could become active. But I had one German victim, reporting, that they are using Kaseya VSA within the company, while the administration was run by Konica. On Friday evening the systems suddenly was encrypted.