Sweden-based grocery store chain Coop has closed all 800 of its stores because it could not operate its cash registers following ransomware attacks.
The shutdown of the major food retailer followed Friday’s sophisticated cyber attack on U.S. technology provider Kaseya. REvil, a leading ransomware gang, is suspected of hijacking Kaseya’s desktop management tool VSA and pushing a malicious update that infect tech management providers serving thousands of business.
Coop, one of Sweden’s biggest grocery chains, said a tool used to remotely update its checkout tills was affected by the attack, so payments could not be taken.
“We have been troubleshooting and restoring all night, but have communicated that we will need to keep the stores closed today,” Coop spokesperson Therese Knapp told Swedish Television.
News agency TT said Kaseya technology was used by the Swedish company Visma Esscom, which manages servers and devices for a number of Swedish businesses.
State railways services and a pharmacy chain also suffered disruption.
“They have been hit in various degrees,” Visma Esscom chief executive Fabian Mogren told TT.
Defence Minister Peter Hultqvist told Swedish television the attack was very dangerous and showed how business and state agencies needed to improve their preparedness.
Huntress Labs, one of the first to sound the alarm of the wave of infections at the providers’ clients, said Saturday that thousands of small companies might have been hit.
Miami-based Kaseya said it was working with the FBI and that only about 40 of its customers were impacted directly. It did not comment on how many of those were providers that in turn spread the malicious software to others.
FBI in a statement late on Saturday said it was investigating in coordination with the U.S. Cybersecurity and Infrastructure Security Agency, Reuters reported.
“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately,” FBA said.
The impacted businesses had files encrypted and were left electronic messages asking for ransom payments of thousands or millions of dollars.
Some experts said the timing of attack, on the Friday before a long U.S. holiday weekend, was aimed at spreading it as quickly as possible while employees were away from the job.
“What we are seeing now in terms of victims is likely just the tip of the iceberg,” said Adam Meyers, senior vice president of security company CrowdStrike.
President Joe Biden said on Saturday he has directed U.S. intelligence agencies to investigate who was behind the attack.