Hive ransomware gang looted 100 million from 1,300 victims (including Media Markt)

Sicherheit (Pexels, allgemeine Nutzung)[German]German Electronics retailer Media Markt was the victim of a Hive ransomware attack in 2021. I had heard something about a $240 million ransom demand at the time. Now the FBI has put the damage caused by the Hive gang to 1,300 victims since June 2021 at $100 million. The FBI also provides evidence of infections and how the group operates.


FBI releases hive data

The information was released this week by the Federal Bureau of Investigation (FBI) in cooperation with US CISA (Bleeping Computer has reported). Their joint statement you may read:

As of November 2022, Hive ransomware actors have damaged more than 1,300 companies worldwide and received about $100 million in ransom payments, according to the FBI.

This is the first time I've read numbers about the group. The Hive ransomware uses the Ransomware-as-a-Service (RaaS) model, where developers create, maintain and update the malware while partners (affiliates) carry out the ransomware attacks. From June 2021 through at least November 2022, threat actors deployed Hive ransomware to attack a wide range of enterprises and critical infrastructure, including government facilities, communications facilities, critical manufacturing facilities, information technology, and especially healthcare and social services.

On the relevant CISA page StopRansomware: Hive Ransomware, the FBI and CISA describe the technical details of the attacks that exploit the following vulnerabilities::

  • CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
  • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability

If successful, the cybercriminals embed malware, pull data for extortion attempts, and finally encrypt the affected servers to extort the victims. In Germany, the successful attack on an IT service provider was the most talked about because it paralyzed the Media Markt/Saturn 2021 electronics stores.

The attack on Media Markt in 2021

IIn November 2021, there was a successful cyber attack by the Hive Gang on the IT systems of the service provider Ceconomy AG, as a result of which around 3,100 servers were encrypted. The systems were running the merchandise management system of Media Markt/Saturn – I had reported in the blog post Ransomware Attack on electronic retail markets of Media Markt/Saturn.


The electronics stores of the two aforementioned groups were able to open, but were forced to operate in a kind of emergency mode. Customers were able to shop at the stores. But the checkout systems were separate from the merchandise management system, meaning that all operations requiring access to this data were not available, or only available to a limited extent. It was virtually impossible to return goods, issue vouchers or pick up orders.

The service provider then instructed the employees in the stores not to take any action themselves and not to inform either customers or the press about these facts. I then reported that the hive ransomware group had probably made the unrealistic demand of 240 million US dollars. Subsequently, the gang reduced this sum in order to get into a range of realistic ransom sums that might be paid. From then on, however, there was radio silence regarding further information. When I then read in the FBI report that the ransomware gang captured 100 million US dollars from 1,300 victims, the Media Markt/Saturn service provider either did not pay or paid very little.

Similar articles
Ransomware Attack on electronic retail markets of Media Markt/Saturn
Media Markt/Saturn: Ransomware attack by hive gang, $240 million US ransom demand
Decryptor for Hive ransomware v1 till v4 released
Anatomy of a Hive Ransomware Attack on Exchange via ProxyShell

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *