Cyber Incident Victim: MediaMarkt
Date:
Nov 2021
Location:
Germany
Summary
MediaMarkt, a major European electronics retailer, suffered a Hive ransomware attack that encrypted servers and workstations, forcing IT system shutdowns to contain the breach and disrupting in-store operations across multiple countries. The incident impaired credit card processing, receipt printing, and return services at physical locations while online sales remained functional; the attackers initially demanded $240 million—later reduced—for decryption. Hive ransomware operators typically infiltrate networks via phishing, steal unencrypted data for extortion, delete backups to hinder recovery, and indiscriminately target organizations, including critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 7, 2021, European electronics retail giant MediaMarkt suffered a ransomware attack attributed to the Hive ransomware operation. The attack began late Sunday evening and continued into Monday morning, encrypting servers and workstations across the company's infrastructure. MediaMarkt, operating over 1,000 stores across 13 countries with €20.8 billion in annual sales and 53,000 employees, responded by proactively shutting down IT systems to contain the attack's spread. This containment measure caused operational disruptions primarily in Netherlands and Germany stores, where cash registers became unable to process credit card payments or print receipts. The systems outage also prevented customer returns due to inaccessible purchase records. Online sales platforms remained operational throughout the incident. Internal communications instructed employees to avoid interacting with encrypted systems and disconnect cash registers from the network, though the company did not publicly confirm these specific mitigation steps. Unverified reports suggested 3,100 servers were affected, though this figure remained uncorroborated at the time of reporting.
Hive ransomware operators initially demanded a $240 million ransom payment for decryption tools, an amount described as unusually high and unrealistic by industry observers. The demand was reportedly reduced almost immediately during negotiations, consistent with ransomware groups' typical strategy of starting with inflated figures. MediaMarkt confirmed the cyberattack in an official statement, noting they had immediately notified relevant authorities and were working to identify compromised systems and restore operations. The company maintained all sales channels remained available to customers but acknowledged limited service capabilities in physical stores. Hive ransomware, active since June 2021, typically gains initial access through phishing campaigns before laterally moving through networks to exfiltrate unencrypted files and delete backups. The group demonstrated capability to encrypt diverse systems including Windows domain controllers, Linux servers, and FreeBSD infrastructure, with no observed targeting restrictions against critical sectors, as evidenced by their August 2021 attack on Memorial Health System that disrupted surgical operations. MediaMarkt's incident response focused on damage assessment and system restoration without publicly disclosing recovery timelines or confirming whether data exfiltration occurred.