Reuters forced to close Swedish stores to close major ransomware attacks on US technology providers

By Johan Ahlander and Joseph Menn

STOCKHOLM (Reuters) – One of the largest ransomware attacks in history spread around the world on Saturday as the Swedish food chain Coop forced all its 800 stores to close because it could not use an ATM.

The closure of the main food vendor came on Friday after a sophisticated attack on U.S. technology provider Kaseya. The ransomware gang known as REvil believes that a malicious update that will hijack Kaseya’s desktop management tool and infect technology management providers that serve thousands of businesses.

Huntress Labs, one of the first to raise the alarm wave of infection to supplier customers, said thousands of small businesses could be hit on Saturday.

Kaseya of Miami said he was working with the FBI and that only about 40 of his clients were directly affected. He did not comment on how many of these vendors were, which in turn spread the harmful software to others.

In an appearance Saturday night, the FBI said it was investigating in coordination with the U.S. Cybersecurity and Infrastructure Security Agency.

“We recommend that all recommended mitigation and follow-up of Kaseya’s instructions by users to shut down VSA servers immediately be avoided,” the agency said.

Affected businesses had encrypted files and left emails asking for thousands or millions of dollars in ransom payments.

Some experts said the goal of the attack on the Friday before a long U.S. holiday weekend was to spread the word as soon as workers were out of work.

“What we’re seeing now around the victims is just the tip of the iceberg,” said Adam Meyers, vice president of security company CrowdStrike.

President Joe Biden said on Saturday that he had directed U.S. intelligence agencies to investigate who was behind the attack.

Coop, one of Sweden’s largest food chains, was attacked by a tool used to remotely update its receipts, so payments could not be made.

“We have been repairing and restoring it all night, but today we announced that we will need to keep the shops closed,” Koop spokeswoman Therese Knapp told Swedish Television.

The Swedish news agency TT said that Kaseya technology is used by the Swedish company Visma Esscom, which manages servers and devices for some Swedish businesses.

State rail services and a pharmacy chain were also disrupted.

“They’ve hit it off to varying degrees,” Fabian Mogren, CEO of Visma Escome, told TT.

Defense Minister Peter Hultqvist told Swedish television that the attack was “very dangerous” and showed how companies and state agencies should prepare.

“In another geopolitical situation, it can be government actors who attack us in this way to close society and create chaos,” he said.