Cyber Incident Victim: E-Land
Date:
Nov 2020
Location:
South Korea
Summary
A South Korean retail conglomerate suffered a ransomware attack originating at its headquarters, prompting the shutdown of IT systems to contain the infection and causing operational disruptions that forced 23 stores to suspend operations. The company stated customer data remained secure on separate encrypted servers, though industry trends suggested potential theft of unencrypted files for extortion purposes. No ransomware group publicly claimed responsibility for the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 22, 2020, South Korean retail conglomerate E-Land Group suffered a ransomware attack targeting its headquarters, leading to significant operational disruptions. The attack prompted the immediate shutdown of portions of the company’s IT infrastructure to contain the malware’s spread, resulting in the temporary closure of 23 out of 50 NC Department Store and NewCore Outlet retail locations. E-Land Retail CEO Chang-Hyun Seok confirmed the incident, attributing the store closures directly to the preventive system shutdowns. The company, which operates 5,000 franchise stores across 60 retail brands alongside hotels and restaurants, faced immediate impacts on its retail business operations. Seok issued a public apology for the disruptions, emphasizing that the server shutdowns were a deliberate containment measure to limit further damage. While the ransomware encrypted files, the CEO asserted that customer data and other sensitive information resided on separate servers and remained uncompromised. The attack occurred over a weekend, with media reports highlighting its effect on store functionality rather than explicit details about the ransomware’s entry vector or encryption methods.
The incident reflected broader ransomware trends observed since late 2019, where attackers increasingly employed double-extortion tactics involving data theft alongside encryption. Though E-Land did not confirm data exfiltration, industry practices suggested the possibility that unencrypted files might have been stolen prior to encryption, a common precursor to ransom demands involving leaks. No ransomware group publicly claimed responsibility for the attack at the time of reporting, leaving the perpetrators unidentified. The operational impact was confined to temporary store closures and IT system disruptions, with no evidence of prolonged data exposure or secondary attacks disclosed. E-Land’s response focused on containment through system isolation, with no mention of ransom payments, negotiations, or data recovery timelines in available reports. The company’s public communications emphasized minimizing customer harm and restoring operations, without elaborating on technical remediation steps or forensic findings.