STOCKHOLM, July 5 (Reuters) - Computer systems of several
companies across the world, including 800 physical grocery
stores of Sweden's Coop, that were shut down after attacked by
REvil ransomware could take weeks to recover, cyber security
experts said.
Hackers from the REvil cybercrime gang compromised systems
of IT firm Kaseya and malware trickled down to its resellers and
reached end customers such as Coop who used its software.
The ransomware locked data in encrypted files and late on
Sunday hackers demanded $70 million to restore the data.
The REvil actors had claimed that a million machines were
compromised, said Mark Loman, director of engineering at
cybersecurity firm Sophos.
"Depending on how big your business is and if you have
backups, it can take weeks before you have restored everything,
and as the supermarkets in Sweden have been impacted, they can
lose a lot of food and revenue," he said.
Coop's grocery store chain had to close hundreds of stores
on Saturday because its cash registers are run by Visma Esscom,
which manages servers for a number of Swedish businesses and in
turn uses Kaseya.
Coop and Visma Esscom did not respond to requests for
comment.
While many Coop stores remained closed on Monday, some
stores have opened their doors and were allowing customers to
pay by using an app called "Scan and Pay."
"I don't think we have seen anything this large scale
before," said Anders Nilsson, chief technology officer at ESET
Nordics. "This is the first time we are seeing a grocery not
been able to process payments and this shows how vulnerable we
are."
To fix the issues, Coop's payment provider needs to
physically go to all stores and restore payment machines
manually from backups.
"It doesn't really matter if they pay or not, they are still
going to take time to restore all the machines," Nilsson said.
Colonial Pipeline faced an extortion attack earlier this
year, causing a shutdown lasting several days. The company paid
the hackers nearly $5 million to regain access.
"Paying a ransom is just putting the fire out but it will
not make your environment more secure," said David Jacoby,
deputy director at Kaspersky.
"The companies should not pay the ransom, because we don't
want to encourage cyber criminals that this is something that's
profitable."
(Reporting by Supantha Mukherjee, European Technology &
Telecoms Correspondent, based in Stockholm; Additional reporting
by Raphael Satter; Editing by Nick Macfie)