Posted on November 13, 2022 at 7:49 AM
Canadian food retail giant Sobeys has become the latest victim of a cyber attack. The company has been experiencing issues with its IT systems since the attack.
As one of the two national grocery retailers in Canada, Sobeys services a network of 1,500 stores with 134,000 employees. Its operations cover all ten provinces under multiple retail banners, including Thrifty Foods, FreshCo, IGA, Safeway, Lawtons Drugs, and Foodland.
Sobey Will Remain Committed Despite The Disruptions
Sobeys’ parent company, Empire, in a press statement, stated that although its grocery stores are still operating, the company-wide IT issue has impacted some services.
Additionally, some of the firm’s pharmacies are also having technical issues in meeting up with prescriptions. But Sobey assured that it is committed as ever before, and will continue with its care of all its pharmacy patients. The organization noted that its security team is working tirelessly to resolve all the IT issues and reduce the disruptions affecting the stores.
The company also published a statement on its official website announcing the breach and informing customers that all stores remain open. The firm also stated that it was not experiencing any major disruption in its operations following the breach.
But employee reports show that computers in the affected Sobey stores were locked out. Payment processing and point-of-sale (POS) systems are still online and operational since they were set up to operate on a different network.
Sobeys has been contacted by the press for more information regarding the breach, but the company is yet to reply.
The Breach Was Caused By Black Basta Ransomware Attack
Although Sobeys has not disclosed much detail about the hacking incident, local media say that Canadian provincial regulators in Alberta and Quebec have reported receiving messages about the incident from the company.
The “confidential incident” notification is only sent to regulators when a breach has led to the access of personal information.
Additionally, according to negotiation charts and ransom notes BleepingComputer has seen, the threat actors used Black Basta ransomware payloads in the attack. The payloads were used to encrypt the targeted systems on Sobeys’ network. Multiple sources noted that the hacking incident occurred early morning on Saturday.
The Threat Actors Are Demanding Undisclosed Ransom
Some Sobeys employees shares photographs online, which showed in-store computers displaying a Black Basta ransom note.
The ransomware demands by the threat actors differ between victims. The demands are higher for more established organizations with worldwide recognition and operation. In one of the hacking incidents, the hacker demanded a ransom of more than $2 million for a decryptor to stop leaking the stolen data online. While a demand has been made by the threat actors on the Sobeys breach, the amount of ransom demanded is not known to the public.
While there are not enough details available about the ransomware group, the operation is likely not a new one with its level of sophistication and negotiating style. Researchers believe even if it’s a new group, its members have experience in ransomware attacks from previous groups.
Black Basta Has Attacked About 50 Organizations Since April
Security researchers first spotted the Black Bastia ransomware in attacks in April this year. By June, Black Basta was discovered deploying payloads n systems initially compromised by Qbot operators. Since then the threat actors responsible for the malware have extended their operations across several organizations the world over.
Some new ransomware groups are a rebrand of older ones. Some have even linked the group to other older ransomware gangs. The Black Basta has been linked to the notorious Conti ransomware group, although it has not been confirmed yet.
Also, Sentinel Labs say it has discovered evidence that connects Black Basta to the Russian-speaking hacking group known as FIN7. The threat group is notorious for targeting hundreds of companies worldwide in POS-based spear-phishing attacks. There have been recorded disruptions and unsuccessful attempts as well.
The Black Basta ransomware is thought to have already hit about 50 organizations worldwide. Its mode of Operandi is the exfiltration of data from targeted companies before encrypting the files on the company’s computer systems. Victims have reportedly been hit in countries around the world, including Australia, Canada, India, the United States, UAE, and New Zealand. Organizations have been advised to do more when it comes to the security of their systems as well as employees’ training on safety rules while using internet-enabled devices.