MediaMarkt, a major consumer electronics retailer, has been hit by the “Hive” ransomware with a ransom demand of $240 million, which has shut down IT systems in the Netherlands and Germany, disrupting store operations.
Mediamarkt is currently the victim of a massive cyber attack. This concerns our branches in Europe, including the Netherlands, Belgium and Germany. Our stores are open for business, but no collections or returns are available.
This is evident from an internal email sent by Mediamarkt to its employees; a MediaMarkt spokesperson confirmed that the company had been affected by the cyberattack and that this had been made known internally.
MediaMarkt is Europe’s largest consumer electronics retailer with more than 1,000 stores in 13 countries, about 53,000 employees and total sales of 20.8 billion euros.
Attack by “Hive” ransomware
MediaMarkt was hit by a ransomware attack that encrypted its servers and workstations and shut down its IT systems to prevent the attack from spreading.
This attack affected a large number of retail stores in the Netherlands and throughout Europe.
Online sales are going on as usual, but it appears that cashiers are unable to use credit cards or print receipts. Also, due to the system outage, we are unable to look up past purchase history and are unable to make returns.
According to local media, MediaMarkt has instructed employees to disconnect cash registers from the network, and a screenshot of the alleged internal communication posted on Twitter shows that 3,100 servers were affected by the attack.
It has been confirmed that the ransomware “Hive” is active in this attack, and it demanded a huge ransom of 24 billion yen = $240 million to receive the decryption system for encrypted files, which is not a realistic amount.
It is common for ransomware groups to demand a large ransom first to leave room for negotiation, and usually receive a fraction of the initial demand.
It is not clear if any unencrypted data was stolen in this attack, but the Hive ransomware group has been known to publish on the data leak site HiveLeaks if the ransom is not paid.
MediaMarkt on this attack
MediaMarktSaturn Retail Group and its domestic companies were the target of a cyber attack. The company immediately notified the relevant authorities and is doing everything in its power to identify the affected systems and repair the damage caused as quickly as possible.
Access to some of our services may currently be restricted.
MediaMarktSaturn continues to serve customers through all of its sales channels and is working intensively to ensure that all services are available again without restrictions as soon as possible.
The company will keep you informed of further developments on this matter. – MediaMarkt
What is the Hive ransomware?
The Hive ransomware is a relatively new group that appeared in June 2021 and is known to infiltrate organizations through malware-laden phishing attacks.
When it gains access to a network, it spreads laterally within the network, stealing unencrypted files and using them for blackmail demands.
Administrator privileges on a Windows domain controller will deploy ransomware across the network and encrypt all devices.
This ransomware has been known to seek out and delete backups so that victims cannot use them to recover their data.
Hive has also developed variant ransomware that encrypts Linux and FreeBSD servers, which are commonly used as hosts for virtual machines.
Unlike ransomware groups that don’t encrypt critical services such as healthcare, nursing homes, and government agencies, the Hive ransomware doesn’t seem to care who it’s targeting.
In August 2021, the Hive ransomware attacked the nonprofit Memorial Health System, forcing people to work with paper medical records and disrupting scheduled surgeries.