MediaMarkt hit by Hive ransomware, ransom now at 50 million

MediaMarkt, a multinational electronics retail chain, has been hit with ransomware from the threat group Hive, impacting thousands of servers and forcing IT systems offline, disrupting business operations and taking out key features of their online and in-store service. 

MediaMarkt is Europe’s largest consumer electronics retailer with over 1,000 stores in 13 countries, and employs around 53,000 employees. The company’s total sales are 20.8 billion euros, about 24.1 billion dollars.   

The initial ransom demand was 207 million euros, about 240 million dollars, for the threat actors to provide the decryptor to unlock the held-hostage, maliciously-encrypted files, however this has now been quickly downgraded to a 43 million euros ransom demand, which is roughly 50 million dollars. 

Ransomware attack 

MediaMarkt was hit by the ransomware attack through late Sunday evening into Monday morning that encrypted its servers and workstations, forcing the chain to take their IT systems offline in a containment strategy to impede further spread of the cyber attack. 

The attack has impacted numerous retail stores across Europe, primarily those in the Netherlands and also Germany to a good extent. While stores will remain open, they can only scan and accept payments in physical cash for shelf products only, the connection to the Internet severed and tills unable to take credit/debit cards or print receipts.  

Service for online stores has also been limited due to the attack, making it impossible to collect or return packages ordered online, or even send products from the stores themselves. The system outage is preventing returns due to the current lack of ability to look up previous purchases. 

Screenshots posted to Twitter alleged company internal communications had said that 3,100 servers have been affected by this attack. 

According to local media reports, MediaMarkt has also told employees to avoid encrypted systems and keep tills disconnected from the network. 

According to the ransom note, the threat group are claiming to have exfiltrated data and, in typical double-extortion ransomware style, that they “will be publicly disclosed” if the company doesn’t pay the ransom.  

The threat actors also allege that the police, the FBI and any recovery company MediaMarkt may hire “don’t care about your business”. They further claim that recovery companies “usually fail” at helping in a further attempt to pressure the company into paying the ransom. 

Although it remains unconfirmed if sensitive data was exfiltrated, Hive ransomware is well-known to steal data and post them to their HiveLeaks data leak site on the dark web if the ransom remains unpaid. 

After BleepingComputer reached out to the company, MediaMarkt confirmed to them that “The MediaMarktSaturn Retail Group and its national organizations” had been “the target of a cyberattack”. The company also said it had “immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible”.  

MediaMarkt further said that “In the stationary stores, there may currently be limited access to some services,” however they continue “to be available to its customers via all sales channels” and that “they’re working intensively to ensure that all services will be available again without restriction as soon as possible”.  

Who are the Hive ransomware group? 

The Hive threat group is a relatively new threat group already making a name for themselves in the cyber world, recently launching a cyber attack against Macquarie Health Organisation in October and a Missouri Health Centre in September. 

Unlike some other threat groups that make (still somewhat dubious) promises that they will not target the healthcare sector, the Hive ransomware group has no such reservations or moral posturing. 

In August, the FBI Flash, a publication by the FBI’s Cyber Division, issued a warning to businesses and system administrators about Hive after their ransomware attack on the non-profit Memorial Health System, which disrupted scheduled surgeries and forced staff back in time, making them have to rely on pen and paper.  

The FBI Flash warning stated that the group was “first observed in June 2021” and is known to breach organisations through “a wide variety of tactics, techniques, and procedures (TTPs)”. 

While Hive commonly utilise malware-laced phishing campaigns and Remote Desktop Protocol to gain access and compromise networks.  Once they gain access to a network and perform privilege escalation, the threat actors deploy ransomware, “exfiltrate data and encrypt files”, holding the system hostage and using double extortion demands in order to strongarm companies into paying ransoms. 

The threat group is also known to search for and delete backups to impede their victim’s data recovery attempts independent of them. They have also created ransomware variants for encrypting Linux and FreeBSD servers, which are often used to host virtual machines, showing once again that they are one of many threat groups all companies need to watch out for.