Media Markt/Saturn: Ransomware attack by hive gang, $240 million US ransom demand

Sicherheit (Pexels, allgemeine Nutzung)[German]The ransomware attack on Media Markt/Saturn's service provider, which became public on November 8, 2021, was carried out by the Hive gang. According to various reports, the attackers demanded between $50 and $240 million in ransom. Since the attack on the service provider, Media Markt and Saturn stores in Belgium, Germany and the Netherlands have been operating in an offline emergency mode, which may cause some restrictions. Here's the latest information.


Advertising

Yesterday, I had reported in the blog post Ransomware Attack on electronic retail markets of Media Markt/Saturn about the current attack, which took place in the night from Sunday to Monday. The approximately 3,100 servers operated by service provider Ceconomy AG, which run the merchandise management system that Media Markt and Saturn stores access, were encrypted by ransomware.

The electronics stores of the two aforementioned groups were able to open, but are operating in a kind of emergency mode. Customers can still shop at Media Markt. But the checkout systems are separate from the merchandise management system, meaning all operations that require access to this data are not available, or only available to a limited extent. Returns of goods, vouchers, or collection of orders are at least fraught with problems, if not impossible. The service provider then instructed the employees in the stores not to take any action themselves under any circumstances and not to inform either customers or the press about this situation.

Hive gang responsible, high ransom demand

The colleagues from Bleeping Computer report in the following tweet, that the Hive ransomware was used and that the extortionists probably made the unrealistic demand of 240 million US dollars.

Hive-Ransomware at Media Markt/Saturen

However, it is said that the initial demand was then very quickly reduced in order to have any chance of a ransom payment. The Dutch website rtl niews writes here that the demand is currently around 50 million US dollars (43 million euros) – which is no mean feat. It says that the payment is currently being negotiated.


Advertising

The ransomware group has its own website where victims can contact the cybercriminals. This is done via a chat window where the amount of the ransom can be negotiated. A "help desk" can be used to make some encrypted files accessible again. This is how Hive shows victims that they have the digital key for the ransomware. Once the payment is made, the software or option to restore the affected systems appears on the same page.

Hive is known for blackmailing its victims. In various cases, the cyber criminals threaten to publish victims' data in order to build up pressure. The hope is that the victims will pay up. It is currently unclear whether the group has also extracted data from Media Markt.

The Hive ransomware gang is still fairly new and has only been in business since June 2021. It is best known for attacks on hospitals – in August 2021, the cyber gang was responsible for ransomware attacks on three American hospitals. The hospitals had to cancel surgical procedures and radiological examinations as a result of the ransomware infection.

The FBI writes that the attackers often attack via phishing emails with malicious attachments. The gang also attempts to penetrate systems and infiltrate the network via Remote Desktop Protocol (RDP). The group is capable of attacking systems running Windows, Linux and FreeBSD.

Similar articles
Cyber attack on Eberspächer Group – workforce on short-time work
Ransomware Attack on electronic retail markets of Media Markt/Saturn
Five affilitates of Sodinokibi/REvil ransomware group arrested


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).