Pierluigi Paganini
November 08, 2021
Electronics retail giant MediaMarkt was a victim of a ransomware attack that forced the company to shut down its IT infrastructure to contain the threat and disrupted store operations in the Netherlands and Germany.
Media Markt is a German multinational chain of stores selling consumer electronics with over 1000 stores in Europe.
MediaMarkt operates in 13 countries and employs approximately 53,000 employees and has a total sales of approximately €21 billion.
The attack took place over the weekend, the personnel at the stores was not able to accept credit card payments or print receipts. The sales online were not affected by the security incident.
“The cash registers can only scan and accept physical products from the stores. The stores will remain open, but can only sell products that are physically in the store. It is not possible to collect or return the products due to the cyber attack. Customers may also have to wait a while for an ordered package, because products can no longer be sent from the stores.” reported the local outlet RTLNieuws.
The company told employees that computers in the stores can no longer be used and asked them to disconnect cash registers from the network and do not restart systems.
Bleeping Computer, citing screenshots posted on Twitter, reported that 3,100 servers were infected with the ransomware.
The company launched an investigation into the incident, at the time of this writing it is not clear which is the ransomware family that hit the company.
Update November 8, 2021
BleepingComputer revealed that the company was hit by the Hive Ransomware gang, it also added that the initially demanded ransom was $240 million.
The Hive gang has been active since June 2021, it implements a Ransomware-as-a-Service model and employs a wide variety of tactics, techniques, and procedures (TTPs). Government experts state that the group uses multiple mechanisms to compromise networks of the victims, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
In order to facilitate file encryption, the ransomware look for processes associated with backups, anti-virus/anti-spyware, and file copying and terminates them. The Hive ransomware adds the .hive extension to the filename of encrypted files.
According to the experts, Hive operators have already hit tens of organizations and the discovery of a Linux variant demonstrates that the gang is expanding its operations.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
