The Media Markt attack: Dangers of ransomware

Ábel Maróti (Junior Marketing Manager, Avatao)

ransomware attack

As the holiday season approaches, both online and offline sales are increasing, putting more and more pressure on retailers. Black Friday is right around the corner, promising one-time special offers and stampedes of customers. This relentlessly busy time of year makes the retail industry a popular target for cyber attacks.

The details of the attack

With that in mind, it may not come as a surprise that Media Markt was recently attacked by the infamous hacker group Hive. Europe’s largest electronic retail chain reported the attack in the first week of November. The attackers’ ransomware encrypted and blocked files and services that are essential to sales operations. Hive initially demanded $240 million to provide the decryption software, an amount later reduced to $50 million, in the form of Bitcoins. According to sources, stores were affected all across Europe. The targets of the attack were the systems that are necessary for day-to-day on-site operations, not online business. The affected stores were unable to access orders, accept credit card payments, or retrieve earlier purchases. Several protective measures have been taken, such as unplugging LAN cables from registers, prohibiting staff from using local IT services, and rebooting systems. Hive has promised to return access to all encrypted files and services once the ransom is paid, but of course, we can never take that as a guarantee.

ransomware attack

Hive, a fairly new group of hackers, has launched successful attacks against other companies earlier this year. Many of the victims operate in the healthcare industry, and were all compromised with the same Hive ransomware, resulting in a flash warning from the FBI. They explained the methodology behind Hive’s ransomware, listed the common indicators of infiltration, and discouraged the paying of any ransoms. From what we know, Hive, hosted on the deep web, mostly uses ransomware for their attacks, and they seem to be an organized group with their own “customer service” which victims can contact.

About ransomware

Ransomware is a type of malicious software (malware) used for cyber attacks. When a computer or system gets infected with this type of malware, certain files can be encrypted, or access to certain parts of the system may be completely blocked. In exchange for getting access to the blocked files back, attackers demand a ransom, usually payable in cryptocurrencies. The attackers often set a deadline for the payment, adding even more pressure to the situation. If the deadline is not met, they might sell or leak the blocked files on one of their sites. There are generally two ways to deal with ransomware attacks: pay the ransom, or attempt to remove the software, though this latter option carries some risk. The malware may have built-in triggers which are activated if an attempt to remove or modify the software occurs.

Gaining access

There are several ways to infect computer systems with ransomware, though the most common are with phishing emails, compromised passwords, and software vulnerabilities. Once attackers have successfully found one or more weaknesses in your defense, they can steal or lock sensitive files or services.

Ransomware attacks have been on the rise lately. According to Cognyte’s Cyber Intelligence Report, almost as many ransomware attacks (1097) were reported in the first half of 2021 as in all of 2020 (1112).

To understand just how serious this type of attack can be, consider the fact that the US Department of Justice is working on elevating ransomware attacks to a similar priority level as terrorism.

ransomware statistics


Ransomware on the rise

There are many reasons ransomware has gained popularity among attackers. For one, ransomware and the tactics for spreading it are constantly evolving. There are now variants that are made for compromising mobile devices through alerts and pop-up messages, exploiting a whole new set of vulnerabilities. Ransomware-as-a-Service, where attackers can purchase or subscribe to ransomware tools already developed, has also been around for a while, with creators receiving a “commission” after a ransom is paid. The ongoing pandemic could be another factor. According to ABC News, malicious emails have increased by 600% because of COVID-19. As such, we should unfortunately expect more phishing attacks in the future.


There are many consequences following a ransomware attack, and having to pay the ransom is often just the tip of the iceberg. MediaMarktSaturn retail group, for instance, had total sales of €20.8 billion (approximately $23.6 billion) in 2019 according to their annual report. The demanded ransom of $50 million is less than 1% of their annual revenue, and yet we still talk about a huge financial loss. Besides losing money, ransomware attacks often result in massive changes, many of which are not easy, such as updating security measures and purchasing more up-to-date software. While trying to restore damaged systems and recover from the attack, productivity often suffers. The focus is on rebuilding and strengthening security, and there are always post-attack issues which require the help of additional IT support. Losing access to certain files, implementing new security processes, and restoring daily operations pulls resources away from business-as-usual operations. These are serious consequences, no doubt about it, but there is one even larger impact a ransomware attack can leave on a company: loss of trust. The reputation of an affected company can plummet. Everyone from customers to employees can lose faith in the organization. Because of the blemishes left by such an attack, companies tend to try to hush up the whole incident. A damaged reputation can result in a massive loss of customers, and restoring trust is a long and difficult road.

What to do

Ransomware attacks can be launched from many directions, and attackers can use a variety of tools to target computer systems and mobile devices. Just one software vulnerability, just one phishing email opened, and the malware is ready to be launched. As ransomware evolves, so must the defenses against it. Increased security awareness should be part of every company’s culture. A collective security mindset can help identify vulnerabilities and potential threats, and the best tool for building up the pillars of security is employee training. It takes regular practice to recognize and report phishing emails. Security skills and best practices are necessary to find software vulnerabilities and improve your code. Implementing a well-structured security training program can help operations run smoothly and your defenses to be strengthened.

Interested in what Avatao has to offer? Click on the link to learn more about our security solutions!


Share this post on social media!

Related Articles

JWT handling best practices

JWT handling best practices

The purpose of this post is to present one of the most popular authorization manager open standards JWT. It goes into depth about what JWT is, how it works, why it is secure, and what the most common security pitfalls are.

Ruby needs security

Ruby needs security

Every year, Ruby is becoming more and more popular thanks to its elegance, simplicity, and readability. Security, however, is an issue we can’t afford to neglect.

Python best practices and common issues

Python best practices and common issues

Python is a high-level, flexible programming language that offers some great features. To be as effective as possible, it is important to possess the knowledge to make the most out of coding with Python.