Many electronics retail giant MediaMarkt has gone through Hive ransomware with an initial ransom demand of $240 million, causing IT systems to shut down and restore the operations to be disrupted in Netherlands and Germany.

MediaMarkt is Europe’s biggest consumer electronics retailer, with over 1,000 stores in around 13 countries. MediaMarkt employs approximately 53,000 employees and has a total sale of around €20.8 billion.

A Hive Ransomware Attack

MediaMarkt go through a ransomware attack late Sunday evening into Monday morning that encode servers and workstations and led to the shutdown of IT systems to avoid the attack’s spread.

Our experts have also discovered that the attack infected various retail stores throughout Europe, primarily those in the Netherlands. While online sales continue to work as expected, the cash register cannot accept credit cards or print receipts at affected stores. The systems outage is also preventing returns due to the inability to look up previous purchases.

The local media reports that the internal MediaMarkt communications tell the employees to prevent the encoded systems and disconnect the cash register from the network. The screenshots posted on sites like Twitter of alleged internal communications states that 31, 00 servers were infected in this attack. However, our experts have not been able to corroborate those statements at present.

Our experts have confirmed that the Hive Ransomware operations are behind the attack and initially demanded a huge, but unrealistic, $240 million ransom demand to receive a decoded for encoded files.

Ransomware groups generally demand large ransoms at the starting to permit the room for negotiation and usually receive a fraction of the initial demand. However, in the attack on MediaMarkt, our experts have been told it was almost automatically reduced to a much lower amount.

While it is not clear if the unencrypted information has been hijacked as part of the attack, Hive ransomware is known to hijack files and publish them on their ‘HiveLeaks’ data leak site if a ransom is not paid.

When we reached out to MediaMarkt earlier by today about the attack we received the following statement:

• The MediaMarktSaturn Retail Group and its national organizations became the target of a cyberattack. The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible. In the stationary stores, there may currently be limited access to some services.
• MediaMarktSaturn continues to be available to its customers via all sales channels and is working intensively to ensure that all services will be available again without restriction as soon as possible.
• The company will provide information on further developments on the topic. – MediaMarkt.

Who is Hive Ransomware?

Hive ransomware is a relatively new operation launched in June 2021 that is known to breach organizations through malware-laced phishing campaigns. Once they achieve access to a network, the attacker will spread laterally through a network while hijacking the unencrypted files to be utilized in extortion operations.

When they gain admin access on a Windows domain controller, they deploy their ransomware throughout the network to encrypt all devices. The ransomware gang is known to seek out and delete any backups to prevent them from being used by the victim to recover their data.

Hive has also created variants used to encrypt Linux and FreeBSD servers, commonly used to host virtual machines. Unlike some ransomware operations that will not encrypt healthcare institutions, nursing homes, government agencies, and other essential services, Hive ransomware does not seem to care who they target.

In August, this was shown when Hive ransomware attacked the non-profit Memorial Health System, which forced staff to work with paper charts and disrupted scheduled surgeries.