Sobeys 1

Canadian Food Retail Giant Sobeys Hit by Black Basta Ransomware

Grocery stores and pharmacies belonging to Canadian food retail giant Sobeys have been experiencing IT systems issues since last weekend.

Sobeys is one of two national grocery retailers in Canada, with 134,000 employees servicing a network of 1,500 stores in all ten provinces under multiple retail banners, including Sobeys, Safeway, IGA, Foodland, FreshCo, Thrifty Foods, and Lawtons Drugs.

In a press release published Monday, Sobeys’ parent company Empire revealed that while its grocery stores were still open, some services were impacted by this company-wide IT issue.

“The Company’s grocery stores remain open to serve customers and are not experiencing significant disruptions at this time. However, some in-store services are functioning intermittently or with a delay,” the retailer revealed.

“In addition, certain of the Company’s pharmacies are experiencing technical difficulties in fulfilling prescriptions. The Company however remains committed to the continuity of care of all its pharmacy patients.”

The company also added that it’s working on resolving the issues affecting its IT systems to reduce store disruption.

In a separate statement published on Sobeys’ official website with “important information” regarding the retailer’s store services, Sobeys added that all stores remained open and were “not experiencing significant disruptions.”

However, according to employee reports, all computers were locked out in affected Sobeys stores, with point-of-sale (POS) and payment processing systems still online and working since they’re set up to work on a separate network.

IT issues caused by a Black Basta ransomware attack

While the company is yet to disclose any information linking this ongoing outage to a cyberattack, local media reported that Canadian provincial privacy watchdogs from Quebec and Alberta have confirmed receiving “confidentiality incident” notifications from the retailer.

As the Quebec watchdog told The Canadian Press, such alerts are only sent following incidents where personal information has been accessed in a breach.

Furthermore, based on ransom notes and negotiation chats, the attackers deployed Black Basta ransomware payloads to encrypt systems on Sobeys’ network.

Photographs shared by Sobeys employees online also show in-store computers displaying a Black Basta ransom note.

​Black Basta ransomware was first spotted in attacks in mid-April 2022, with the operation quickly ramping up its attacks against companies worldwide in the coming months.

Although the gang’s ransom demands likely differ in size between victims, the victim received a demand of more than $2 million for a decryptor to avoid having stolen data leaked online.

By June 2022, Black Basta was already seen deploying payloads on systems previously compromised by Qbot (QuakBot) operators.

Even though details are scarce regarding this ransomware gang, this is likely not a new operation but a rebrand, given their negotiating style and ability to quickly breach new victims.

Some researchers believe that Black Basta is linked to the Conti ransomware.

Additionally, this week, Sentinel Labs found evidence connecting Black Basta to the Russian-speaking, financially motivated FIN7 hacking group known for deploying POS malware and targeting hundreds of firms worldwide in spear-phishing attacks.

Leave a Comment

Your email address will not be published.