Canadian supermarket chain Sobeys hit by ransomware attack Security Matters

Sobeys, Canada’s second largest supermarket chain, has been the victim of a ransomware attack by the Black Basta gang.

Sobeys Inc. is Canada’s second largest supermarket chain, operating more than 1,500 stores across Canada under various brands. It is a wholly owned subsidiary of the Canadian business group Empire Company Limited. Last week, the company’s grocery stores and pharmacies experienced IT problems.

“The Company’s grocery stores remain open to serve customers and are not experiencing major disruptions at this time. However, certain in-store services will operate intermittently or with delays. Additionally, some of the Company’s pharmacies are experiencing technical difficulties fulfilling prescriptions.” read A statement issued by the Empire.

Sobeys also issued a notice advising customers of the IT issue it was experiencing.

“Our stores are currently experiencing system issues that are affecting some of the services we offer. All of our stores remain open to serve you and have not experienced major disruptions at this time. While some in-store services have been intermittent or delayed, we are happy to Take note that our pharmacy network is now fully operational,” reads the notice.

Shops are still available in-store, but gift cards and medication refills are not available, according to outlets sharing customer and employee experiences.

Payment systems were not affected as they may be hosted on separate infrastructure.

The company has yet to confirm the data breach, but local media reports say two provincial privacy regulators have received reports of the data breach from Sobeys.

“Quebec’s Access to Information Commission and Alberta’s Privacy Commission have both been notified by the grocer of a ‘confidentiality incident’,” the website Toronto Star reports.

Image shared by an Imgur employee

Bleeping Computer first reported that the company’s systems were infected with Black Basta, attributing the attack based on ransom notes and negotiation chat logs that Bleeping Computer observed.

The extent of the attack is currently unknown, and if a data breach is confirmed, it is imperative that the exposed information be identified and affected individuals promptly alerted.

Last week, security researchers at Sentinel Labs shared details about Black Basta’s TTP and assessed that the ransomware operation is likely to have links to FIN7.

Experts analyzed the tools ransomware gangs use in their attacks, some of which are custom tools, including EDR evasion tools. SentinelLabs believes that the developers of these EDR evasion tools are, or were, developers of the FIN7 gang.

Further evidence linking the two includes IP addresses and specific TTPs (tactics, techniques, and procedures) used by FIN7 in early 2022 and seen in actual Black Basta attacks a few months later.

Black Basta has been active since April 2022, and like other ransomware operations, it implements a dual-extortion attack model.

FIN7, on the other hand, is an economically motivated group in Russia that has been active since at least 2015. It focuses on deploying POS malware and launching targeted spear-phishing attacks against organizations worldwide.

Analysis by Sentinel Labs shows that Black Basta ransomware operators develop and maintain their own toolkits, and they have only documented cooperation with limited and trusted affiliates.

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs – Hacking, Sobeys)

Leave a Reply

Your email address will not be published. Required fields are marked *