MediaMarkt Infected with $240 Million Hive Ransomware Attack

MediaMarket has become a victim of a Hive Ransomware attack with an initial ransom demand of $240 million. The attack has caused IT systems to shut down and physical store operations to be disrupted across Europe.

MediaMarkt has been operating since 1979 across 13 countries. The electronics manufacturer employs approximately 53,000 employees and has a total sales of €20.8 billion.

The company was hit by the Hive Ransomware attack on Sunday evening which rolled into Monday morning. The attack encrypted servers and workstations and led to the shutdown of IT systems to prevent the attack’s spread.

While online sales are still possible, cash registers cannot accept credit cards or print receipts at affected stores. The systems outage is also preventing returns due to the inability to look up previous purchases.

Screenshots posted on Twitter of alleged internal communications state that 3,100 servers were affected in this attack.

Reporters at BleepingComputer that the strain involved was Hive Ransomware, and that the demand was a stunning $240 million.

Ransomware gangs commonly demand large ransoms at the beginning to allow room for negotiation and usually receive a fraction of the initial demand. However, in the attack on MediaMarkt, it is believed the amount was almost immediately lowered.

While it is not clear if unencrypted data has been stolen as part of the attack, Hive ransomware is known to steal files and publish them on their ‘HiveLeaks’ data leak site if a ransom is not paid.

Reporters reached out to MediaMarkt today and received the following statement:

“The MediaMarktSaturn Retail Group and its national organizations became the target of a cyberattack. The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible. In the stationary stores, there may currently be limited access to some services.

MediaMarktSaturn continues to be available to its customers via all sales channels and is working intensively to ensure that all services will be available again without restriction as soon as possible.

The company will provide information on further developments on the topic.”

Behind Hive Ransomware

Hive Ransomware is a newcomer to the Ransomware world, having launched in June 2021. However, it is has already gained a reputation for striking out at several healthcare providers and multinational companies.

The Hive Ransomware operators breach organizations using malware-ridden phishing campaigns.

Once the gang gains access to a network, they will spread laterally through a network while stealing unencrypted files to be used in extortion demands.

Once the threat actors eventually gain admin access on a Windows domain controller, they deploy Hive Ransomware throughout the network to encrypt all devices.

The Hive Ransomware gang are known to seek out and delete backups prior to encryption. This is to kneecap the victim and prevent them from using backups to escape the Ransomware attack.

Unlike other strains that operate on just Windows, Hive Ransomware comes in different flavors used to encrypt Linux and FreeBSD servers, commonly used to host virtual machines.

While many ransomware outfits follow a ‘code of honor’ type system in which they will not encrypt healthcare institutions, nursing homes, government agencies, and other essential services, Hive Ransomware is known to target anybody.

This has meant their reputation has spread like wildfire, just as their attacks do.

In August, this was shown when Hive ransomware attacked the non-profit Memorial Health System, which forced staff to work with paper charts and disrupted scheduled surgeries.