The fast-moving Egregor ransomware added Kmart to its list of retail targets, one day before the same attack group hit the Vancouver metro.
The fast-moving Egregor ransomware has already hit other recognizable companies, most notably Barnes and Noble. Egregor first emerged in September and since then more than 70 companies have been targeted. Security pros expect Egregor to become even more active in December during the holiday shopping season, warning that security teams should get prepared for more attacks.
In the case of KMart, stores have dwindled in number since the company filed for bankruptcy in 2018. Nonetheless, the company’s new parent – Transformco – still operates 34 Kmart stores. Some states have assigned “essential” status to Kmart locations, because the stores run pharmacies and sell groceries, and presumably the data housed in the networks of the one-time retail giant is extensive.
Sean Deuby, director of services at Semperis, believes that a business like Kmart in a downward spiral makes for a very logical target. First, attackers can count on the fact that the company’s already-neglected infrastructure has become even weaker as operations subsided. According to the attack report at Bleeping Computer, the ransom note verifies that Kmart’s Active Directory domain was compromised as part of the attack. Deuby said core identity systems like Active Directory are high on the attacker’s priority list, because in addition to its importance, the service’s attack surface has broadened over time – and with weakened IT infrastructure these accumulated exposure points won’t get remediated.
And though Kmart has its troubles, Deuby added that the applications and data that keep the company running are still excellent targets. Despite an otherwise weak ransom profile because of low corporate revenues, the Egregor operators may see an opportunity to make money striking a store that’s become an essential service.
“In addition, the data exfiltrated has the potential to supplement the overall profit,” Deuby said. “Think of it as income diversification.”
Ruston Miles, founder and advisor at Bluefin, was a bit more skeptical about this attack. Miles said Kmart’s current state of business has not made them a more likely target for breaches of this kind, adding that it remains to be seen what kind of data hackers found in the Kmart attack.
“We’d expect them to issue a customer statement soon, similar to what Barnes and Noble issued after their attack, detailing the types of data compromised,” Miles said. “From what I am seeing of Egregor ransomware, they are going after everyone. This tells me they are targeting everyone and anyone – from Kmart to Barnes and Noble to a Chilean grocery chain to mass transit systems in Canada. The lesson here is that no matter your company size or industry, be prepared for these kinds of attacks.”