This weekend (06./07.11.2021), according to several sources, there was a ransomware attack on the electronics stores MediaMarkt and Saturn. Apparently, only the cash register and merchandise management systems in the stores are affected. However, the stores remain open for the time being.
The unknown extortionists demand $50 million in Bitcoin for the decryption of the data. They used the relatively new ransomware "Hive".
Ransomware attacks become more frequent
Ransomware is used to encrypt the data on a terminal device and extort a ransom for its release. According to the current BSI situation report such attacks have become increasingly frequent recently. Large companies in particular have repeatedly made the headlines as a result. The attackers are increasingly well organized and therefore more difficult to catch.
An extension of this strategy can also be observed. In some cases, attackers illegally store the data before encryption in order to then extort hush money under threat of publication. This approach can prove effective if the victim shows no interest in paying the ransom for decrypting the data due to their own backup copies of the data. If a ransomware attack takes place, it must therefore be assumed that the data has been compromised.
The biggest gateway for such attacks are probably social engineering attacks. This is an attempt to trick people into clicking on malicious links or downloading attachments that install the malware, for example, using cleverly forged emails.
MediaMarkt and Saturn affected by the encryption Trojan horse
The MediaMarkt and Saturn consumer electronics centers belong to Ceconomy AG. The group operates around 1000 stores in 13 European countries. A total of 3100 servers are probably infected with a crypto-virus.
The company said that it was "currently working intensively with internal and external experts as well as the relevant authorities to analyze and identify the damage caused as quickly as possible". At the moment, it could not be determined whether customer data had been tapped, nor what the specific extent of the attack was. The online stores are still functioning at the moment, but no service is possible in the stores except for the sale of inventory. Employees have been instructed not to use computers and to disconnect cash registers from the network.
However, the company is not making any further statements, referring to ongoing investigations. Negotiations are also still underway.
The attackers used the ransomware "Hive". According to a website on the Tor network, it has been active since June this year, making it a relatively new player. The FBI had already issued a warning about "Hive" in August. The software would pose significant challenges for defense and mitigation.
If you have any questions or problems in this area, our experts will be happy to advise you.