Kmart's reported ransomware attack highlights ongoing threat to retail

Dive Brief:

Kmart was the victim of a ransomware attack impacting backend operations at the big box retail chain, according to a report by BleepingComputer.
The 'KMART' Windows domain was compromised in the attack, citing a ransom note that was shared with the publication, according to the report.
The attack has been linked to the Egregor ransomware gang, a fairly new operation emerged in recent months following the apparent retirement of the Maze organization. Egregor was linked to a string of attacks around the globe, including attacks on Barnes & Noble in the U.S., Cencosud, the Chile-based retail group, and gaming companies Ubisoft and Crytek.

Dive Insight:

The Kmart attack would mark the latest blow to the retail industry in the U.S., which has suffered from reduced in-store traffic due government mandated stay-at-home orders stemming from the pandemic.

Retailers have been on alert during the holiday shopping season, as a spike in COVID-19 cases adds pressure to shift transactions from in-person shopping malls to e-commerce, providing a rich target of opportunity for criminal cyber gangs.

The code used in the Egregor attacks seems to be variants of the Sekhmet ransomware, according to Gil Kirkpatrick, chief architect at Semperis. The method involves siphoning off corporate information and threatening mass media release, before encrypting all files.

"It's impossible to overestimate the impact of ransomware on any industry, and with the shift towards e-commerce this holiday season, retail has become a particularly ripe target," said Curtis Simpson, CISO at Armis. "Any interference to the supply chain during the holiday shopping season will seriously impact the bottom line of retailers."

Kmart, once one of the nation's most popular mass market department stores, has undergone major cutbacks in recent years due to the explosive growth of e-commerce rivals, including Amazon, and big box competition from Walmart, Target and neighborhood discount chain Dollar Tree.

Sears Holdings, the former parent of Kmart and Sears, filed for Chapter 11 bankruptcy in 2018. Under Kmart's current parent, Transform Holdco (Transformco), the retailers went through massive cuts over the last two years and fell to about 60 combined Kmart and Sears stores as of September. The report did not mention whether Sears stores were impacted by the attack.

Kmart's e-commerce site continued to operate following the attack, however the Transformco human resources site was knocked offline, according to the report.

The attack highlights that standard prevention techniques will not stop a sophisticated adversary, according to analysts.

"Defenders must always operate under the assumption that intruders will or have already gained access to critical systems with breach campaigns that actually involve the abuse of credentials and privileges," Darren Mar-Elia, VP of products at Semperis. "Active Directory, the central identity system of 90% of organizations, is a prime target for attackers attempting to steal data and deploy ransomware across the network."

Officials at Kmart did not return requests for comment.