Major ransomware attack against U.S. technology providers forces Swedish stores to close Reuters

Authors: Johan Ahlander and Joseph Menn

STOCKHOLM (Reuters)-On Saturday, one of the largest ransomware attacks in history spread globally, forcing the Swedish Coop grocery chain to close all of its 800 stores because it cannot operate cash registers.

The closure of this major food retailer follows an unusually sophisticated attack on U.S. technology provider Kaseya on Friday. The ransomware group known as REvil is suspected of hijacking Kaseya’s desktop management tool VSA and pushing malicious updates, infecting technology management providers that serve thousands of enterprises.

Huntress Labs, one of the first companies to warn of the wave of infections among supplier customers, said on Saturday that thousands of small companies may have been hit.

Kaseya, based in Miami, said it is working with the FBI and only about 40 customers are directly affected. It did not comment on how many of them are providers that spread malware to others.

In a statement later on Saturday, the FBI said it was coordinating an investigation with the U.S. Cybersecurity and Infrastructure Security Agency.

The agency said: “We encourage all those who may be affected to adopt the recommended mitigation measures, and encourage users to follow Kaseya’s guidance to immediately shut down the VSA server.”

The affected companies encrypted the files and left electronic messages demanding ransoms of thousands or millions of dollars.

Some experts said that the attack occurred on the Friday before the long weekend in the United States, with the goal of spreading as soon as possible while employees were away from work.

“The victims we are seeing may be just the tip of the iceberg,” said Adam Meyers, senior vice president of security company CrowdStrike.

President Joe Biden said on Saturday that he has instructed U.S. intelligence agencies to investigate behind the attacks.

According to Coop, one of Sweden’s largest grocery chains, the tool used to remotely update its cash register was affected by the attack, making it impossible to make payments.

Coop spokesperson Therese Knapp told Swedish TV: “We have been troubleshooting and recovering all night, but we have already stated that we need to close the store today.”

According to the Swedish news agency TT, Kaseya technology is used by the Swedish company Visma Esscom, which manages servers and equipment for many Swedish companies.

The national railway service and a chain of pharmacies were also disrupted.

“They have been hit to varying degrees,” Visma Esscom CEO Fabian Mogren told TT.

Defense Minister Peter Hultqvist told Swedish television that the attack was “very dangerous” and showed how companies and state institutions need to improve their preparations.

“Under different geopolitical situations, it may be government actors attacking us in this way to shut down society and create chaos,” he said.