Cyber Incident Victim: Metaencrypter Victim
Date:
Jul 2023
Location:
Germany
Summary
A ransomware attack targeted a Munich-based publishing group, with perpetrators identifying as "Metaencrypter" encrypting and deleting most data while stealing sensitive author information including addresses, bank details, tax numbers, and contracts affecting approximately 5,000 individuals. The attackers demanded ransom, which the company refused, subsequently reporting the incident to cybercrime authorities who are investigating attempted extortion, computer sabotage, and data manipulation. Operational disruption necessitated complete replacement of hardware and infrastructure rebuild, with financial losses remaining unquantified while stolen data risks potential misuse for fraudulent transactions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 25, 2023, the Münchner Verlagsgruppe, Germany's largest nonfiction publishing group, experienced a ransomware attack attributed to hackers identifying as "Metaencrypter." Employees discovered extortion messages on their computer screens upon powering devices at the start of the workweek, indicating unauthorized system access. The attackers demanded ransom payments to restore operations, but management immediately refused negotiations, with CEO Matthias Setzler stating, "We do not negotiate with criminals." Initial system analysis revealed extensive data destruction and encryption, rendering most business infrastructure inoperable. Forensic examination confirmed theft of sensitive information including author addresses, bank account details with tax identification numbers, telephone records, and contractual agreements between the publisher and approximately 5,000 authors across its imprints (Riva, FBV, mvg, Lago, Redline, avm). While prominent authors like Bettina Wulff and Uli Hoeneß were mentioned in media reports, the publisher clarified that celebrity data was not compromised as contracts were typically managed through literary agencies rather than stored internally.
The organization filed criminal complaints with Bavaria's Central Cybercrime Contact Point for Businesses at the State Criminal Police Office within days of detection. Investigators from Munich Police Headquarters' Commissariat 122 and the Bamberg Public Prosecutor's Office launched formal proceedings for attempted extortion, computer sabotage, and data alteration under the leadership of Deputy Chief Prosecutor Thomas Goger. Operational impacts necessitated complete replacement of all workstations and reconstruction of IT infrastructure, with Setzler acknowledging inability to quantify financial losses. The publisher initiated written notifications to affected authors warning of potential fraudulent financial transactions, particularly unauthorized direct debits, advising vigilant account monitoring. Historical context from law enforcement indicated low resolution rates for comparable ransomware cases in Bavaria, with Goger noting encrypted data typically remains permanently unrecoverable even after investigations. No evidence suggested publication of stolen data in darknet markets at the time of reporting, though standard criminal protocols for such attacks implied this remained a possibility. Business continuity efforts focused on manual data reconstruction from offline backups where available, while authorities continued technical and forensic analysis to identify perpetrators.