Coop Sweden Kaseya supply-chain shutdown
REvil's ransomware attack on Kaseya VSA cascaded through an MSP to Coop Sweden's checkout systems, forcing the supermarket cooperative to close around 800 stores nationwide for days.
- Victim
- Coop Sweden
On 3 July 2021, the Swedish supermarket cooperative Coop abruptly closed around 800 stores across Sweden. The cause was not an attack on Coop itself, but one of the most consequential supply-chain ransomware attacks in history β the REvil compromise of Kaseya VSA β which cascaded down through an IT provider and knocked out Coop's checkout systems nationwide.
What happened
On 2 July 2021, the Russia-linked ransomware gang REvil (Sodinokibi) exploited a zero-day vulnerability (CVE-2021-30116) in Kaseya VSA, a remote monitoring and management platform used by managed service providers (MSPs) worldwide. By compromising Kaseya's software, REvil was able to push ransomware simultaneously to thousands of downstream organisations through their MSPs.
Coop was not a direct Kaseya customer. Instead, the attack reached it through Visma Esscom, the MSP that manages Coop's point-of-sale software powering its cash registers and self-checkout kiosks. When Visma's systems were encrypted, Coop's checkout terminals went dark β and a supermarket that cannot charge customers cannot stay open.
Impact
- Coop was forced to close around 800 stores β virtually its entire Swedish footprint β over a holiday weekend.
- Stores were shuttered for several days; Coop's incident-response partner Truesec helped rebuild the payment systems, with most stores reopening within roughly six days by around 8 July.
- Coop deployed workarounds, including a mobile-app self-scanning payment method, to bring some stores back online sooner.
- Globally, REvil demanded a $70 million ransom for a universal decryptor covering all Kaseya victims; Coop did not pay, and Kaseya later obtained a decryptor.
Why it matters
The Coop shutdown became the most visible real-world consequence of the Kaseya attack and a defining illustration of supply-chain and fourth-party risk. Coop did everything an end-customer might reasonably do, yet was crippled because a vulnerability three steps up its software supply chain β vendor to MSP to retailer β was exploited at scale. The incident accelerated regulatory and industry attention to MSP security and software supply-chain integrity, themes that would later anchor the EU's NIS2 Directive and similar resilience frameworks. It remains the canonical European example of how a single upstream zero-day can empty supermarket shelves of customers.
Timeline
REvil exploits a zero-day in Kaseya VSA to push ransomware to managed service providers and their downstream clients worldwide.
Coop's MSP Visma Esscom, which manages Coop's point-of-sale software, is hit, disabling Coop's cash registers and self-checkout kiosks.
Coop closes around 800 of its roughly 800 stores across Sweden because customers cannot be charged.
REvil publicly demands $70 million in bitcoin for a universal decryptor for all Kaseya victims.
Coop reopens its stores after a workaround restores point-of-sale functionality.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/coop-supermarket-closes-500-stores-after-kaseya-ransomware-attack/
- therecord.mediahttps://therecord.media/supermarket-chain-coop-closes-800-stores-following-kaseya-ransomware-attack
- thelocal.sehttps://www.thelocal.se/20210706/what-do-we-know-about-the-cyberattack-that-forced-hundreds-of-swedish-supermarkets-to-close
- truesec.comhttps://www.truesec.com/why-truesec/cases/coop-back-in-business-after-the-largest-ransomware-attack-of-all-time