Large supermarket chain in southern Africa hit with ransomware

One of the largest supermarket chains serving multiple countries across southern Africa has been hit with ransomware. 

The Shoprite Group released a statement late last week announcing a cyberattack. The RansomHouse ransomware group took credit for the attack on Tuesday.

The company – which has more than 2,943 stores across Africa and over 149,000 employees – said it “became aware of a suspected data compromise, impacting on a specific subset of data and which may affect some customers who engaged in money transfers to and within Eswatini and within Namibia and Zambia.”

“Affected customers will receive an SMS to the cell number supplied at the time of the transaction,” the company explained. 

“Access to affected areas of the network has also been locked down. The data compromise included names and ID numbers, but no financial information or bank account numbers.”

The company added that it amended “authentication processes” as well as “fraud prevention and detection strategies” in an effort to protect customer information. 

The Shoprite Group did not respond to requests for comment, but said it has notified South Africa’s Information Regulator about the incident. 

It warned customers that the stolen data may be used to scam them and urged people to never share personal information like passwords over email, phone or text. 

RansomHouse openly touted their attack on the supermarket chain, claiming on their Telegram channel that the company “was keeping enormous amounts of personal data in plain text/raw photos packed in archived files, completely unprotected.”

The gang published a sample of the data it stole and said it “invited” the company to negotiate a ransom. 

“The only thing they did is change their passwords like it solves everything. If their position doesn't change, most of this data will be sold with something disclosed to the public,” the group threatened.

“Apart from KYC data, we also got lots of other interesting stuff from the company. Yes, they like to keep a lot of things unprotected.”

The group previously took credit for ransomware attacks on the Saskatchewan Liquor and Gaming Authority, Jefferson Credit Union, AHS Aviation Handling Services and others. 

A Cyberint report last month said the group did not see itself as a ransomware gang and instead claimed to be a platform for other ransomware gangs. 

Emsisoft threat analyst Brett Callow told The Record that the group is associated with the White Rabbit ransomware. The ransomware family emerged in January and has ties to an APT group called FIN8, according to Trend Micro.


A screenshot of the ransom note from one of RansomHouse's victims.

“RansomHouse claims simply to provide a platform for the actors who carry out attacks. It’s more likely, however, that they’re the ones carrying out attacks and using White Rabbit ransomware,” Callow said. 

Supermarkets have become a frequent target for hackers, with the largest supermarket chain in Trinidad suffering from a cyberattack last month that caused outages at all of its locations throughout the country. 

Last July, one of Sweden’s largest supermarket store chains, Coop, was forced to shut down nearly 800 stores across the country after one of its contractors was hit by ransomware in the aftermath of the wide-ranging Kaseya security incident.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.