Kmart, Latest Victim of Egregor Ransomware – Report

The struggling retailer’s back-end services have been impacted, according to a report, just in time for the holidays.

Retail stalwart Kmart has suffered a ransomware attack at the hands of the Egregor gang, according to a report.

The incident has encrypted devices and servers connected to the company’s networks, knocking out back-end services, according to BleepingComputer. The outlet obtained the purported ransom note that claims to have compromised Kmart’s Windows domain.

The company was purchased by Transformco in 2019 – and the holding company is apparently impacted as well. The 88sears.com site, used internally, is offline, which is a state of affairs that employees confirmed to the outlet was due to the ransomware attack.

The struggling chain’s retail stores appear to be operating normally, according to the report. Little else is known about the situation for now, and Kmart has not confirmed a cyberattack. It did not immediately return a request for comment.

“That’s an early Christmas surprise for Kmart’s new owners, Transformco,” said Colin Bastable, CEO of security awareness training firm Lucy Security, via email. “There is never a good time for a ransomware attack, but the run up to the Christmas shopping period is a bad time for Kmart to be hit. My advice to CISOs: add ‘P.S. Please give me some cybersecurity awareness training budget’ to your Dear Santa letter, and hope that he comes early this year.”

Egregor on a Roll

Egregor is an occult term meant to signify the collective energy or force of a group of individuals, especially when the individuals are united toward a common purpose — apropos for a ransomware gang. The Egregor ransomware was first spotted in the wild in September and October, using a tactic of siphoning off corporate information and threatening a “mass-media” release of it before encrypting all files.

Later that month, it claimed to have hacked gaming giant Ubisoft, lifting the source code for Watch Dogs: Legion, which was released on Oct. 29. It also took responsibility for a separate attack on gaming creator Crytek, relating to gaming titles like Arena of Fate and Warface.

Egregor also recently made headlines after it claimed responsibility for the Barnes & Noble cyberattack, first disclosed on Oct. 15. The bookseller had warned that it had been hacked in emailed notices to customers, “which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.”

Some indications — such as its Nook e-reader service being taken offline starting the weekend before — also pointed to a possible ransomware attack, as did reports from store workers that their physical registers were having trouble.

But operational disruption is just part of the picture.

“One of the big fears coming out of an Egregor ransomware attack is the likelihood of unprotected files being stolen prior to the operation encrypting devices,” Trevor Morgan, product manager with data security specialists comforte AG, said via email. “This sensitive data is then used as leverage to extract a ransom from the target (in this case, the retailer Kmart). Otherwise, the operation leaks the stolen data online.”

In all three aforementioned cases, the attackers published inconclusive information on a leak site showing that they had accessed files during the attack, but not necessarily source code or anything particularly sensitive.

“Kmart can expect data to appear in public shortly,” Bastable noted. “Like its Maze predecessor, the Egregor attack will probably show a little ‘ankle’ to whet Kmart’s appetite, with a full reveal promised if they don’t stump up.”

Preventing the Worst

Companies of all sizes can avoid most of the fallout of attacks like these by taking common-sense precautions, like maintaining backups and using data encryption, researchers said.

“There are several prevention techniques for ransomware attacks like this one, but of course the attacks constantly evolve. Depending on the size and sophistication of a company, prevention can become very difficult,” Ruston Miles, founder and advisor at Bluefin, said via email. “The issue with Kmart and similar retailer breaches is that they may not be adequately securing their data – whether in the cloud, in their network or at the point of intake – which could leave private information in ‘clear-text’, just waiting to be stolen by malicious actors. Companies need to devalue this data with security technologies like encryption and tokenization, so that if a breach does occur – whether ransomware or malware or a combination – the malicious actors get no data of value.”

Morgan underscored the point. “While the report does not conclusively indicate whether threat actors gained access to Kmart’s most sensitive data, it serves as yet another reminder for all businesses to apply the strongest level of data-centric security to their datasets,” he said. “In a situation like Kmart’s, if the data happened to be tokenized then the operation would have much less leverage over the retailer. Let’s hope that this is indeed the case.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

 

 

Suggested articles