Department store chain Kmart has suffered a cyberattack by the Egregor ransomware operation, resulting in the encryption of devices and servers connected to the company’s networks.

According to Bleeping Computer, online stores continue to operate, but the 'Transformco Human Resources Site,' 88sears.com, is currently offline, leading employees to believe the outage is caused by the recent ransomware attack.

Sean Gallagher, senior threat researcher at Sophos, says, “Ransomware operators are going to target retailers during the holiday season because that’s where the money is—retailers can’t afford to lose business this year, and are more likely to quickly pay, in the minds of cybercriminals."

Gallagher explains, "Egregor is a Ransomware as a Service – we’ve seen multiple actors deploying it, using a variety of tactics. It is essentially a rebranded and slightly modified version of the Sekhmet ransomware we saw emerge earlier this year, packaged for affiliates. Egregor’s tactics are similar to that of Maze and REvil, in that data is stolen before files are encrypted to be used to extort a quick payment from victims—generally, victims are only given 3 days to pay before the Egregor gang publishes part of the data or, they claim, sells it on criminal marketplaces.”

Bleeping Computer notes that it is unknown if attackers stole data, how many devices were encrypted, or the exact amount of money that was demanded by the attackers. Recent victims attacked by Egregor include Cencosud, Crytek, Ubisoft, and Barnes and Noble, reports Bleeping Computer. 

Tyler Reese, Senior Product Manager at One Identity, says that it’s important for companies to know that even if they pay the ransom, which they shouldn’t, it doesn’t mean they’ll get the information back.

Reese explains, "Hackers have been increasingly turning to ransomware-as-a-service, which means that the attacker may not have the ability to release the information allowing it to be available on the dark web forever. Instead of paying the ransom, organizations should look towards malware removal or executing a recovery plan. However, malware removal isn’t always possible and a recovery plan could cause more downtime than an organization simply can afford. The only option to avoid paying the ransom would be to prevent the attack altogether by having the right security measures in place."

He adds, "The first step of an effective security strategy is to know your enemy. Ransomware attacks find their way around internet security suites, commonly through phishing, to gain access to privileged credentials. Organizations are able to combat this by protecting their data with a strong privileged access management (PAM) strategy. PAM strategies protect companies’ data even if hackers are able to successfully execute a phishing attack by leveraging password vaults, monitoring and recording privileged sessions, using behavioral biometrics and following the principle of least privilege.”