Ransomware attack disrupted store operations in the Netherlands and Germany

Electronics retail giant MediaMarkt was hit by a ransomware attack that disrupted store operations in the Netherlands and Germany.

Electronics retail giant MediaMarkt was a victim of a ransomware attack that forced the company to shut down its IT infrastructure to contain the threat and disrupted store operations in the Netherlands and Germany.

Media Markt is a German multinational chain of stores selling consumer electronics with over 1000 stores in Europe.

MediaMarkt operates in 13 countries and employs approximately 53,000 employees and has a total sales of approximately €21 billion.

The attack took place over the weekend, the personnel at the stores was not able to accept credit card payments or print receipts. The sales online were not affected by the security incident.

“The cash registers can only scan and accept physical products from the stores. The stores will remain open, but can only sell products that are physically in the store. It is not possible to collect or return the products due to the cyber attack. Customers may also have to wait a while for an ordered package, because products can no longer be sent from the stores.” reported the local outlet RTLNieuws.

The company told employees that computers in the stores can no longer be used and asked them to disconnect cash registers from the network and do not restart systems.

Bleeping Computer, citing screenshots posted on Twitter, reported that 3,100 servers were infected with the ransomware.

The company launched an investigation into the incident, at the time of this writing it is not clear which is the ransomware family that hit the company.

Update November 8, 2021

BleepingComputer revealed that the company was hit by the Hive Ransomware gang, it also added that the initially demanded ransom was $240 million.

The Hive gang has been active since June 2021, it implements a Ransomware-as-a-Service model and employs a wide variety of tactics, techniques, and procedures (TTPs). Government experts state that the group uses multiple mechanisms to compromise networks of the victims, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.

In order to facilitate file encryption, the ransomware look for processes associated with backups, anti-virus/anti-spyware, and file copying and terminates them. The Hive ransomware adds the .hive extension to the filename of encrypted files.

According to the experts, Hive operators have already hit tens of organizations and the discovery of a Linux variant demonstrates that the gang is expanding its operations.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.