Cyber Incident Victim: Cencosud
Date:
Nov 2020
Location:
Chile
Summary
A major Latin American retail conglomerate suffered a ransomware attack by the Egregor group, disrupting operations across multiple countries. The incident encrypted devices in retail outlets, leading to service interruptions including inability to process proprietary credit card payments, accept returns, or fulfill online purchase pickups. Printers in affected stores automatically generated ransom notes, consistent with Egregor's known tactics of network-wide encryption and potential data exfiltration prior to deployment. The ransomware-as-a-service operation, linked to former Maze ransomware affiliates, targeted the company's supermarkets and department stores, though physical locations remained open with limited functionality. Egregor had previously executed similar attacks against other prominent organizations, leveraging stolen data as part of its extortion strategy.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 14, 2020, Chilean multinational retail conglomerate Cencosud suffered a ransomware attack attributed to the Egregor ransomware operation, disrupting operations across its retail outlets in multiple Latin American countries. The attack encrypted devices throughout Cencosud’s network, impacting services at stores including Easy home goods, Jumbo supermarkets, and Paris department stores in Argentina, Brazil, Chile, Colombia, and Peru. Retail locations remained open, but critical customer-facing functions were impaired: an Easy store in Buenos Aires displayed signage indicating it could not process payments via the Cencosud Card credit product, accept returns, or fulfill online purchase pickups due to technical issues. Printers in affected stores across Chile and Argentina automatically generated Egregor ransom notes during the encryption process, a documented feature of the ransomware designed to propagate physical notifications throughout compromised networks. The ransom note did not include links to proof of stolen data, though Egregor operators historically exfiltrated unencrypted files prior to deploying ransomware in other confirmed attacks.
Egregor, a ransomware-as-a-service operation active since September 2020, emerged as a successor to the Maze ransomware group, with threat actors indicating that former Maze affiliates migrated to the Egregor operation. The attack leveraged Egregor’s capability to disrupt enterprise-scale retail operations, mirroring tactics used in prior high-profile incidents against companies including Crytek, Ubisoft, and Barnes & Noble. Cencosud, with over 140,000 employees and $15 billion in 2019 revenue, experienced operational paralysis in payment processing and logistics systems, though the full technical scope of encrypted infrastructure was not publicly detailed. No communication from Cencosud regarding incident response measures, negotiations, or data recovery processes was reported at the time of initial disclosure. BleepingComputer attempted to contact Cencosud for additional details but received no response. The incident highlighted Egregor’s rapid adoption of disruptive tactics against multinational targets, with physical ransom note distribution amplifying psychological and operational pressure on the victim organization.