Pharmacies and grocery stores belonging to Sobeys, the Canadian food retail company recently experienced IT systems issues following a cyberattack. Sobeys is one of Canada’s two major grocery retailers, with around 134,000 personnel servicing a network of approximately 1,500 stores under a variety of retail banners that include Thrifty Foods, Safeway, Foodland, Lawtons Drugs, IGA and FreshCo along with Sobeys.

Statements following an attack

In a recent press release, the parent company of Sobeys, Empire revealed that although its dedicated grocery stores remained open, a portion of its services were affected by a company-wide IT problem.

Empire commented:

“The Company’s grocery stores remain open to serve customers and are not experiencing significant disruptions at this time. However, some in-store services are functioning intermittently or with a delay. In addition, certain of the Company’s pharmacies are experiencing technical difficulties in fulfilling prescriptions. The Company however remains committed to the continuity of care of all its pharmacy patients.”

The firm also added that it is still working to resolve the issues impacting its IT systems with the goal of reducing disruption in its stores.

In an additional statement posted on Sobeys’ website regarding store services, the firm added that all its stores were open and not experiencing substantial disruptions.

According to reports from employees however, all company computers were completely locked out in impacted Sobeys stores. Fortunately, payment processing point-of-sale (POS) systems were still online and operating since they were set up to function on an independent network.

Black Basta ransomware at work

While Sobeys is yet to reveal any information connecting this ongoing outage to a specific cyberattack, a local media network reported that Canadian privacy watchdogs from both Alberta and Quebec had confirmed receiving notification for a “confidentiality incident” from the retailer.

A spokesperson for the Quebec watchdog confirmed to The Canadian Press that such alerts are only issued following incidents when personal information is accessed during a breach.

Based on ransom negotiation chats and notes viewed by experts, the attackers appear to have been deployed Black Basta-style ransomware payloads with the end goal of encrypting systems on the official network of Sobeys.

Black Basta ransomware was initially identified in attacks during mid-April this year, with the threat group swiftly ramping up its activities against enterprises worldwide over the course of recent months.

While the group’s ransom demands differ greatly in size between its victims, one incident was recorded where the victim received a ransom demand of over $2 million for a decryption device to sidestep having stolen information leaked online.

Although details are few regarding this organisation, it is likely not an all-new operation. Given its negotiating style and capability to swiftly breach new targets, it is probably a rebrand.

Some cyber security researchers believe that the gang is connected to the renowned Conti ransomware group, but no official evidence exists to support the claim. However, researchers at Sentinel Labs discovered supporting evidence that connected Black Basta to FIN7, the Russian-speaking and financially motivated hacking group with a reputation for deploying targeted POS malware in spear-phishing attacks.