Hacked and held hostage: how MediaMarkt negotiated with ransomware criminals

Ransomware is having an increasing impact on our society, but not much is known about how these cybercriminals operate, professionalize their work, and put pressure on victims.

RTL Nieuws gives for the first time an exclusive behind-the-scenes look:

computers held hostage

It’s Monday, November 8, 2021, when MediaMarkt’s computers are suddenly locked. The company asks employees to avoid the hostage systems and only sell products that are physically in the store. It is no longer possible to pick up and return products.

According to MediaMarkt, the criminal hackers carried out a ‘very targeted’ attack on the systems, taking Windows systems hostage on a large scale. These are computers in the European branches, including 49 stores in the Netherlands.

‘Can you please answer’

On the same day, even before the news of the ransomware attack becomes known, MediaMarkt is already talking to the cybercriminals. The company communicates with the ransomware group Hive, which has been attacking companies and organizations since June 2021 and taking their computers and files hostage. Hive often requires millions in ransom to be paid in bitcoin.

“Hello and welcome to Hive. How can I help you today?”, It sounds as soon as MediaMarkt starts a chat with the cybercriminals. Ransomware gangs often react very nicely, says Pim Takkenberg from the cyber security company Northwave. He regularly negotiates with ransomware criminals for his work: “If you’re handsome, you’re more likely to get paid than to immediately start scolding and blackmailing. You catch more flies with a spoonful of syrup than with a barrel of vinegar. “

At the top left of the screen is the name of the victim: in this case MediaMarkt, the most recent annual turnover and the number of employees. MediaMarkt asks if anyone is present, but there is silence for hours. “Can you please answer”, asks one from MediaMarkt. “I want to know the offer and how we can get the files back.”

This is Hive, the infamous ransomware group

Many ransomware groups have not attacked hospitals during the pandemic, but not Hive. That makes Hive infamous in the cybercriminal world. Last August, cybercriminals took three U.S. hospitals hostage, forcing surgical procedures and radiological examinations to be canceled.

The ransomware group has its own website on the dark web, the hidden part of the internet, where victims can turn to contact the cybercriminals. It is now quite normal, Takkenberg explains: “Large criminal organizations are now behind ransomware attacks, and they almost all have their own environment where victims can come in contact with them.”

The credentials needed to chat with Hive are on each hostage computer: a text file on the desktop. “Your network has been hacked and all data has been encrypted,” the text reads. “To access all data again, you must purchase our decryption software.” So after four hours, Hive suddenly replies again, “To make your files available again, you have to pay $ 50 million in bitcoin.”

Test a few files for free

MediaMarkt asks how to be sure that the company actually gets all its files back. Then Hive suggests that it submit a few files that have been made available for free, as a kind of proof that Hive has the key to all the files being held hostage. The hive site on the dark web has a special section for it.

“In a kidnapping, you have the picture with a newspaper with the correct date on it as proof, with ransomware you have to decrypt a few files,” Takkenberg explains. “These criminals think they’re giving you a service, they’re exposing vulnerabilities in your systems and demanding money for it. It’s just a kind of business model for them.”

The offer is displayed on the right side of the website: $ 50 million. The address where bitcoins should go is included. There is also a button to download software that makes the computers available again, but you can only press the button once the payment has been made. Criminals usually calculate the ransom at about 2 percent of annual revenue. Takkenberg: “But you can often talk about 25 to 50 percent of the price.”

“We can not trust you, so decide: Either you give us a reasonable offer, or you get no money at all,” says MediaMarkt. “The damage has already happened anyway. We can hardly afford to pay $ 50 million. The fact that a company has a high turnover does not mean that we earn that much.” Hive then asks MediaMarkt what it is willing to pay.

Where do ransomware criminals come from?

The majority of ransomware criminals come from Russia or a former Russian state, Takkenberg says: “About 75 percent of all ransom goes to Russian-speaking countries. The criminals often advertise on Russian forums, search mostly Russian-speaking employees, and they do not attack. Russian countries. In short, the Russian government will leave you alone if you do not attack Russian states. “

Secret reading

It stays quiet for a few days. Then MediaMarkt says that you can give ‘no offer’ because the company still has a number of questions. First of all, how did Hive get in, and once paid, will it receive a ‘detailed overview’ of how the company was hacked to close the digital gaps? MediaMarkt continues: “Management does not care about our customers ‘or employees’ private data. We would like to see an example of what data would get us in trouble if you published it. If you share this information, we believe in an offer.”

When MediaMarkt finds out on 11 November that unauthorized persons may be reading in secret during the negotiations, it asks Hive if a new username and password can be created. This data is sent to a special e-mail address created by MediaMarkt. Then the negotiations continue.

Restore backups

MediaMarkt emphasizes that it can not meet Hive’s ransom demand: “Due to the corona and the stores that may close, we do not have the money to pay this amount.” The company also says it is in negotiations with the insurance company to see if the ransom can be repaid. It asks how Hive can help make the hostage computers accessible and whether it can still access the network.

In the background, MediaMarkt is busy restoring backups. “We have been working at full capacity to identify and fully restore the affected systems,” a company spokesman said. The company does not want to say more about the attack: “The case has been clarified for us and we will not make any further announcements.”

A few days later, MediaMarkt tells Hive that it is in the process of restoring the backups and asks if it can pay a lower amount if Hive only makes some of the hostage computers available again. So on November 22, the last message comes from MediaMarkt: that it has restored almost all systems, and what Hive now considers a reasonable amount to pay for the last computers held hostage.

“How are you feeling?” Hive asks after a few days of silence. It remains silent.

How often is paid?

It’s hard to say. According to Chainalysis, which monitors Bitcoin transactions, about 600 million euros in ransom were paid last year. Takkenberg sees a downward trend in companies paying: Last year, 80 per cent of the affected companies knocked on Northwave’s door, now that figure is around 60 per cent.

In the media, one often reads stories about companies and organizations that refuse to pay, those who pay prefer not to bring it out. RTL Nieuws has previously reported that RTL Nederland paid EUR 8,500 in ransom to the criminals behind the ransomware attack in September last year.

One last attempt

Hive adds MediaMarkt to its long list of unpaid victims. The names are gathered on a website on the dark web. If sensitive data was also stolen, you can download it there. At some companies you will see copies of employee passports, contracts with other organizations and other trade secrets.

On MediaMarkt, there is no download button for data: confirmation that Hive only encrypted files and did not steal them as well. “As a result, criminals lack an important means of exerting pressure,” Takkenberg said. “You see that there are regular payments because the company is afraid that very sensitive data will be leaked, which can cause major image damage. But if you have enough backups and no data has been stolen, then the best option is not to pay.”

MediaMarkt has not paid any ransom to the cybercriminals. In early December, after two weeks of silence, Hive makes one last attempt to get money from MediaMarkt: “Look, if you still need access, we can really talk about it.”

Leave a Comment