MediaMarkt, the retail giant specialising in electronics, recently suffered a targeted attack employing Hive ransomware.

The insidious assault resulted in the commercial enterprise’s store operations facing considerable disruption throughout Europe, and dedicated IT systems being shut down. The attackers behind the ransomware raid initially made a request for $240m (approximately £180m).

MediaMarkt is currently the largest consumer retailer for electronics products in Europe. It has more than 1,000 outlets based in 13 different countries. It has a workforce of around 53,000 and its total sales are recorded at approximately €20.8bn (£17.5bn).

A targeted ransomware strike

The ransomware attack suffered by MediaMarkt occurred on a Sunday evening and Monday morning. The malicious software encrypted both workstations and servers, which led to the company’s IT systems being shut down to stop the attack spreading out across the network. While multiple retail outlets were impacted across Europe, it was the Netherlands-based stores that were the most severely affected.

Online sales continued to function normally, although cash registers were unable to accept customer credit cards or even print receipts at the affected stores. The disruptive systems outage also prevented returns being accepted as previous purchases could not be accessed.

Local news reported that MediaMarkt’s internal communications informed staff to avoid encrypted systems and told them to disconnect store cash registers from the company network.

The attack has been confirmed to have been authored by the Hive ransomware operation. The gang originally demanded a massive payment of $240m ransom in return for a decryption device to unlock all encrypted files.

Ransomware gangs demanding large amounts is a common tactic of gangs at the start of talks as it allows plenty of room for negotiation. Ultimately, ransomware groups typically are only awarded a fraction of their initial demand.

A statement by the retail giant commented on the recent events

“The MediaMarktSaturn Retail Group and its national organisations became the target of a cyberattack. The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible. In the stationary stores, there may currently be limited access to some services. MediaMarktSaturn continues to be available to its customers via all sales channels and is working intensively to ensure that all services will be available again without restriction as soon as possible.”

What is Hive ransomware?

The Hive ransomware operation is a relatively new gang. It launched back in June this year and is known to penetrate organisations using phishing campaigns involving malware.

Once the gang has gained network access, threat operators usually spread laterally across a company’s network while stealing any unencrypted files available. These stolen files are then used in double-extortion-style attacks to add leverage to ransom demands.

After admin access has been obtained to a Windows domain controller, the operators launch ransomware across the network capable of encrypting any connected devices.

The Hive ransomware gang is also known to identify and delete any company backups to stop their targets making any data recovery attempts that might potentially thwart their plans.