Friday’s sophisticated attack on Kaseya VSA, a software developer used by managed service providers (MSPs) delivering IT support to a host of small and medium-sized businesses, has spread across the Atlantic, forcing Swedish Coop – one of the Scandinavian nation’s largest supermarket chains – to shut down all 800 of its stores.
Speaking to Swedish Television on Saturday, a Coop spokesperson confirmed the company was forced to shutter its stores because a remote software tool used to update checkout tills was compromised by the hack attack, preventing tills from being operated.
“We have been troubleshooting and restoring all night, but have communicated that we will need to keep the stores closed today,” the spokesperson said.
Along with the grocery chain, Sweden’s state railways and a pharmacy chain have also reportedly been affected.
Kaseya, the Ireland-headquartered company operating the compromised software, confirmed that it was working with the FBI after indicating that about 40 of its customers were directly impacted by the ransomware attack. However, these customers are known to include MSPs, which themselves deliver support to hundreds and possibly thousands of companies.
The FBI released a statement late on Saturday confirming that it was “investigating this situation and working with Kaseya, in coordination with” the Cybersecurity and Infrastructure Security Agency to contact “possibly impacted victims.” The domestic security agency has encouraged affected users to shut down compromised servers immediately.
In its analysis of the breach, Huntress Labs, a Maryland-based cybersecurity company, estimated that over 200 US businesses had been impacted by the ransomware. Some victims have reportedly been asked to provide cash payments starting at $45,000 to get their services back online, while others have been hit for millions of dollars in cryptocurrency.
It’s not clear if businesses in countries besides the US and Sweden have been affected. Kaseya boasts a presence in over 10 countries, and has a US headquarters in Miami, Florida. 68 percent of the company’s customers are US-based, with 91 said to be based in the UK, 77 in India, 58 in Australia, 51 in Canada, 39 in the Netherlands, and over a dozen in Brazil, South Africa, and New Zealand. The vast majority of industries using the company’s products are software firms, information technology services, with other clients including hospitals, retailers, education providers, construction businesses, and financial services firms.
The infamous REvil hacking group feared to be behind the Kaseya hack is the same criminal group which was blamed for the May ransomware attack on the US operations of JBS SA – a major Brazilian meat processing company. It’s also thought to be responsible for a long campaign of ransomware attacks and blackmailing efforts directed against everyone from tech giants Apple and Acer to state governments, law firms and educational institutions, and individuals including Donald Trump, Lady Gaga, and Madonna.
Russian President Vladimir Putin indirectly commented on the cybercriminals’ activities last month, suggesting it was “just ridiculous to blame Russia” for the attacks, and complaining that US “accusations keep coming” even as the US and its allies turn down Russian proposals for cooperation against cybercrime. Putin's comments echoed sentiments expressed regularly by Moscow whenever Washington makes its latest "Russian hacking" claims.