Swedish supermarket chain Coop has shut down approximately 500 stores after they were affected by an REvil ransomware attack targeting managed service providers through a supply-chain attack.

Last night, the supermarket chain closed its stores after the REvil ransomware gang targeted managed service providers (MSPs) and their customers in a massive supply-chain attack through Kaseya VSA, a remote patch management and monitoring uite.

Soon after the attack, Coop posted a notice stating all of their stores except for those in five regions had been shut down after cash registers no longer functioned due to an “IT attack” on one of their suppliers.

Right now, many of our stores are temporarily closed. The following stores are NOT affected and are open: The online store on coop.se, stores in Värmland, Oskarshamn, Tabergsdalen, Norrbotten and on Gotland.

One of our suppliers has been hit by an IT attack and therefore the cash registers do not work. We regret this and do everything to be able to open again soon. – Coop.

Translated notice posted on Coop's website
Translated notice posted on Coop’s website

In a statement to BleepingComputer, Coop said that the attack was not aimed at them but their supplier Visma Esscom.

Coop first learned of the attack at approximately 7 PM last night when there were problems with the cash registers. causing stores to close. The stores continue to be closed through Saturday as Coop works on restoring operations.

“We got signals from some of our stores last night at about 7 pm that there were problems with the cash registers. Since the customers could not pay, some stores closed early last night. During the night we have worked on the problem, and this morning at 8 am we took the decision to close the stores, with the exception of a few regions that weren’t affected, to be able to solve the problem without interference.

“So, not all of our 800 stores were affected, but a majority of them. They have been closed the whole day today Saturday.”

BBC reporter Joe Tidy further confirmed that Coop had to shut down approximately 500 stored due to the ransomware attack.

If you have first-hand information about this attack or information about companies affected by the Kaseya cyberattack, we would love to hear about it. You can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.

Encrypted through MSP supply chain attack

Yesterday, REvil ransomware conducted a massive attack through the Kaseya VSA patch and remote management software that encrypted MSPs worldwide and their customers.

Coop is a customer of Swedish MSP Visma who manages the supermarket chain’s point-of-sale system used to power cash registers and self-checkout kiosks.

Visma confirmed they were affected by the Kaseya cyber attack that allowed the REvil ransomware to encrypt their customer’s systems.

“Kaseya, which supplies software for remote control and operation of clients and servers in the retail trade, has been subjected to a cyber attack that is currently affecting Visma EssCom and many other companies around the world.”

“The attack results in the Kaseya software that Visma EssCom and many other service providers use in their deliveries to retailers can be used to spread a ransomware virus to clients and servers in customers’ IT environments.”

“The most critical consequence is that stores cannot charge their customers when the cash registers are infected. The attack on Kaseya was discovered on Friday night.”

The attack on Coop is just the first in what will be a long list of victims from this attack.

Visma alone states they have 1 million customers, many of whom may have been affected by the REvil ransomware attack yesterday.

In a statement to BleepingComputer, Kaseya CEO Fred Voccola stated that they know of 40 customers affected by the attack.

While this is a small number, it is essential to remember that each of these MSPs could potentially work with hundreds of thousands of businesses, making this the most significant ransomware attack ever conducted.

At this time, Kaseya states that REvil used a vulnerability in their on-premise VSA service to conduct the attack and that a patch would be released soon.