Cyber Incident Victim: Kmart
Date:
Dec 2020
Location:
United States of America
Summary
Kmart, a US retailer, experienced a ransomware attack by the Egregor cybercrime group, disrupting back-end operations and forcing the parent company's human resources site offline while online stores remained functional. The attackers, known for exfiltrating unencrypted data before encryption, threatened to leak stolen information unless a ransom was paid, though specifics regarding compromised data, encrypted devices, or demanded payment were not disclosed. Egregor, a ransomware operation active since late 2020 and linked to former affiliates of the disbanded Maze group, rapidly targeted multiple high-profile organizations including Crytek and Barnes & Noble following its emergence. The retailer's parent entity did not publicly address the incident at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around December 3, 2020, US retailer Kmart experienced a ransomware attack disrupting back-end operational services. The incident occurred under the ownership of Transform Holdco LLC (Transformco), which acquired Kmart and Sears after Sears Holding Corp’s 2018 bankruptcy. At the time of the attack, Kmart operated 35 physical stores nationwide, a reduced footprint from prior years. While customer-facing online retail platforms remained functional during the incident, Transformco’s Human Resources portal (88sears.com) became inaccessible. Employees attributed this outage directly to the ransomware event. The Egregor ransomware operation claimed responsibility for the attack, employing tactics consistent with their established pattern of exfiltrating unencrypted files prior to deploying encryption payloads. Egregor typically threatened victims with public data leaks via dedicated extortion sites if ransoms went unpaid. No confirmed evidence emerged regarding whether Egregor successfully stole Kmart data, the number of encrypted systems, or the specific ransom demand.
Egregor emerged as a ransomware-as-a-service operation in September 2020, rapidly expanding its victim portfolio by absorbing affiliates from the disbanded Maze ransomware group. This influx of experienced threat actors facilitated Egregor’s attacks against multiple high-profile organizations concurrent with the Kmart incident, including Cencosud, Crytek, Ubisoft, and Barnes and Noble. The attack coincided with Kmart’s ongoing operational downsizing, though an update on December 6, 2020, indicated the retailer maintained 45 active stores. Transformco and Kmart did not publicly acknowledge the incident or provide remediation details despite media inquiries. Service disruption appeared limited to internal HR systems, with no reported impact on customer transactions or financial systems. The absence of subsequent data leaks or payment confirmations left the attack’s final resolution undocumented in available sources.