Coop Sweden takes steps to deal with ransomware cyberattack

The attack by the online Cactus gang hit card payments in Värmland county

Supermarket chain Coop Sweden has said it is dealing with a cyberattack, with ransomware affecting stores in the county of Värmland.

The Cactus ransomware gang announced the attack on Twitter on 29 December, adding that it had also targeted UK property services company Bell Group and manufacturer Tridon Australia.

For Coop Sweden, the affected stores are in its division serving Värmland county, which runs 44 supermarkets and 17 smaller stores. The attack began on 22 December, knocking out the card payment system in Värmland stores for much of the day.

Cactus threatened to disclose a huge amount of personal information from Coop Sweden, adding that it has more than 21,000 directories containing personal data. Cactus included ID cards in its initial data leak.

Coop Värmland’s communications manager Klas Olsson told TV4 that a solutions was in place and card payments restored by the end of the day.

“We can confirm that Coop Värmland has experienced a cyberattack,“ a Coop spokesperson told Recorded Future News. “Upon detection, external expertise was engaged, and they promptly initiated intensive efforts, primarily focused on closing the vulnerabilities where intrusions occurred.

“The current assessment indicates that these vulnerabilities have been successfully addressed. The work has been ongoing since the occurrence and has persisted throughout the Christmas holiday.”

A temporary page on the Coop Värmland website says it is dealing with the attack and stores are open

On the home page of its website, Värmland tells customers to contact stores via Facebook with questions and offers other means of contact.

Coop Sweden was previously caught up in a ransomware attack on IT company Kaseya, forcing it to close 500 of its stores. The retailer does not itself use Kaseya software, but was still impacted because one of its software providers does.

Cactus was identified by Kroll Cyber Threat Intelligence analysts in March 2023. 

Cybercrime remains a persistent problem for the retail industry. In 2021, a report from Keeper Security revealed that UK retailers experienced 44 cyberattacks in 12 months – one attack for every eight days.

The research warned the attacks resulted in severe disruptions to partner and customer operations (34%), the supply chain (33%), and a retailer’s ability to trade (29%).

Of those organisations having experienced theft of money as a direct result of a breach, 41% have lost over £50,000 and every 8% lost over £1m.

And it warns of poor cybersecurity habits at businesses, with weak and reused passwords and an often slow response to incidents.

In January last year, the British Retail Consortium presented its overview of the problem, setting out advice for retailers.