The chain, which had around 500 stores, was hit by the REvil ransomware attack. The attack used a supply-chain attack to target managed service providers (MSPs).
The REvil ransomware attack, which was first detected in April, targeted various managed service providers (MSPs), including Walmart. The attack was carried out through a remote patch management system known as Kaseya VSA.
Soon after the attack, Coop posted a notice stating “Right now, many of our stores are temporarily closed. The following stores are NOT affected and are open: The online store on coop.se, stores in Värmland, Oskarshamn, Tabergsdalen, Norrbotten and on Gotland. One of our suppliers has been hit by an IT attack and therefore the cash registers do not work. We regret this and do everything to be able to open again soon.”
Coop was only one of the victims of the REvil ransomware attack. On Friday, REvil launched a massive attack against multiple MSPs and through them thousands of businesses globally by abusing a Kaseya VSA update patch.
Coop was affected through its MSP, Visma. It uses Visma’s point-of-sale system to manage its stores’ cash registers and self-checkout kiosks. While Visma states they have 1 million customers, many of whom may have been affected by the REvil ransomware attack yesterday.
“Kaseya, which supplies software for remote control and operation of clients and servers in the retail trade, has been subjected to a cyber attack that is currently affecting Visma EssCom and many other companies around the world. The attack results in the Kaseya software that Visma EssCom and many other service providers use in their deliveries to retailers can be used to spread a ransomware virus to clients and servers in customers’ IT environments.”
According to Kaseya CEO Fred Voccola, the company knows around 40 customers affected by the ransomware attack. While it’s a small number, it’s still significant enough to affect thousands of businesses.
Kaseya states that vulnerability in their on-premise VSA service that REvil abused to conduct the attack would be patched soon.