Canadian Food Retail Gaint “Sobeys” hit by Blck Bag Ransomware

Canadian Food Retail Gaint "Sobeys" hit by Blck Bag Ransomware

Grocery stores and pharmacies owned by Canadian food retail giant Sobeys have been experiencing IT systems problems since last weekend.

Sobey’s is one of Canada’s two national grocery retailers, employing 134,000 people in a network of 1,500 stores in all ten provinces under multiple retail banners including Sobey’s, Safeway, IGA, Foodland, FreshCo, Thrifty Foods and Lawton Drugs.
In a press release published Monday, Sobeys’ parent company Empire revealed that while its grocery stores are still open, some services have been affected by this company-wide IT issue.
“The company’s grocery stores are open to serve customers and are not experiencing significant disruptions at this time. However, some in-store services will operate intermittently or with delays,” the retailer disclosed.

“Additionally, some of the Company’s pharmacies are experiencing technical issues fulfilling prescriptions. However, the Company is committed to continuity of care for all of its pharmacy patients.” The company said it is working to resolve issues affecting its IT systems to minimize store disruption.

Sobeys ransom notes (RedflagdealsReddit)

In a separate statement published on Sobeys’ official website with “important information” regarding retailer store services, Sobeys added that all stores are open and “are not experiencing significant disruptions.”

However, according to employee reports, all computers at Sobey stores were locked, point of sale (POS) and payment processing systems were still online and working since they were set up to operate on a separate network. Sobeys has yet to respond to requests for comment after BleepingComputer reached out earlier this week. BleepingComputer reached out to Sobeys on Sunday with a request for comment, but has not yet received a reply.

IT problems due to Black Basta ransomware attack
While the company has yet to disclose information linking the ongoing outage to the cyberattack, Canadian provincial privacy watchdogs from Quebec and Alberta confirmed receiving “privacy incident” notifications from the retailer, local media reported.

As the Quebec watchdog told The Canadian Press, such alerts are sent only after incidents where personal information is accessed in a breach. Furthermore, based on ransom notes and discussion chats seen by BleepingComputer, the attackers deployed Black Busta ransomware payloads to encrypt systems on the Sobeys network. BleepingComputer was told by multiple sources that the attack happened late Friday/early Saturday morning. Photographs shared online by Sobeys employees also show in-store computers displaying a black baga ransom note. Black Basta ransomware was first identified in attacks in mid-April 2022, an operation that has accelerated its attacks on companies worldwide in the coming months.

While the gang’s ransom demands vary in size between victims, BleepingComputer is aware of at least one incident in which a victim received a demand of more than $2 million for a decryptor to avoid leaking stolen data online. As of June 2022, Blockbusta was already running payloads on compromised systems via Qbot (quackbot) operators. Although details about this ransomware gang are scarce, given their negotiating style and ability to quickly breach new victims, it may not be a new operation, but a rebrand. Some researchers believe that Black Basta Conti is linked to ransomware, but BleepingComputer could not confirm this.

Related posts

HHS Cybersecurity Center Warns of New Ransomware Threat

Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware to Users.

Most EHRs at CommonSpirit Health are back online after the Ransomware Attack!