Cyber Incident Victim: Damart
Date:
Aug 2022
Location:
France
Summary
A French clothing retailer experienced a disruptive ransomware attack by the Hive group, which encrypted systems and demanded a $2 million ransom without negotiation. The incident caused operational disruptions, including website outages, halted deliveries, and reduced order processing across numerous stores, while customer support became unavailable. The company proactively shut down systems to limit encryption and involved law enforcement, declining to engage with the attackers. Though Hive employed double-extortion tactics, no data theft was confirmed, and the gang did not publish stolen data. Services were expected to resume gradually following containment efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyber incident impacting Damart, a French clothing retailer with over 130 global stores, commenced on or around August 15, 2022. Initial public indications emerged that evening when the company’s website displayed a maintenance notification stating, "We are sorry for the inconvenience, but we are performing maintenance at the moment." Subsequent investigations confirmed this was the result of a ransomware attack attributed to the Hive group. Damart’s security teams detected intrusion attempts on their servers and implemented immediate containment measures, including the proactive shutdown of multiple applications and critical systems to prevent further encryption or damage. This response temporarily disrupted online operations, customer support functions, and delivery services. Company representatives stated no data exfiltration had been identified at this stage, though Hive typically employs double-extortion tactics involving both encryption and data theft threats.
By August 24, the attack’s operational consequences escalated, affecting 92 physical stores and causing measurable declines in order volumes. The Hive ransomware gang issued a non-negotiable $2 million ransom demand to parent company Damartex, as documented in a leaked ransom note retrieved by journalist Valéry Marchive. Damart declined to engage in negotiations and reported the incident to French national authorities, significantly reducing the likelihood of payment. Internal protocols remained focused on isolating compromised systems, with the company publicly maintaining that encryption had been preempted by their rapid shutdown response. Service restoration efforts targeted a return to normal operations the following week, though full recovery timelines were unspecified. Hive did not list Damart on its data leak site, and no conclusive evidence of data theft was disclosed by either the attackers or the company as of early September. Business disruptions persisted for weeks, primarily impacting digital commerce and logistical operations, while investigations into the intrusion’s scope and initial attack vector continued without public resolution.