Canadian supermarket chain giant Sobeys suffered a ransomware attack

Sobeys, the second-largest supermarket chain in Canada, was he victim of a ransomware attack conducted by the Black Basta gang.

Sobeys Inc. is the second largest supermarket chain in Canada, the company operates over 1,500 stores operating across Canada under a variety of banners. It is a wholly-owned subsidiary of Empire Company Limited, a Canadian business conglomerate. During the last week, grocery stores and pharmacies belonging to the company have experienced IT issues.

“The Company’s grocery stores remain open to serve customers and are not experiencing significant disruptions at this time. However, some in-store services are functioning intermittently or with a delay. In addition, certain of the Company’s pharmacies are experiencing technical difficulties in fulfilling prescriptions.” reads a statement published by Empire.

Sobeys also published a notice to inform customers of the IT problems that it is suffering.

“Our stores are currently experiencing systems issues that are affecting some of the services offered. All our stores remain open to serve you and are not experiencing significant disruptions at this time. While some in-store services are functioning intermittently or with a delay, we are pleased to note that our pharmacy network is now able to operate fully.” reads the notice.

According to the media, who shared the experience of customers and employees, it is still possible to shop at the stores, but it was not possible to process gift cards and refill prescriptions.

Payment systems were not impacted because they were likely hosted on a separate infrastructure.

At this time the company has yet to confirm a data breach, but local media reported that two provincial privacy watchdogs had received data breach reports from Sobeys.

“Both Quebec’s access to information commission and Alberta’s privacy commission have both been notified by the grocer about a “confidentiality incident.”” reported the website Toronto Star..

Bleeping Computer first reported that the systems of the company were infected with the Black Basta, the attribution of the attack is based on ransom notes and negotiation chats Bleeping Computer has observed.

At this time is is not clear the extent of the attack, in case a data breach will be confirmed it is essential to determine the exposed information and quickly alert the impacted individuals.

Last week, security researchers at Sentinel Labs shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7.

The experts analyzed tools used by the ransomware gang in attacks, some of them are custom tools, including EDR evasion tools. SentinelLabs believes the developer of these EDR evasion tools is, or was, a developer for FIN7 gang.

Further evidence linking the two includes IP addresses and specific TTPs (tactics, techniques, and procedures) used by FIN7 in early 2022 and seen months later in actual Black Basta attacks.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

On the other end, FIN7 is a Russian financially motivated group that has been active since at least 2015. It focused on deploying POS malware and launching targeted spear-phishing attacks against organizations worldwide.

The Sentinel Labs’s analysis revealed that Black Basta ransomware operators develop and maintain their own toolkit, they documented only collaboration with a limited and trusted set of affiliates.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Sobeys)

[adrotate banner=”5″]

[adrotate banner=”13″]