Ransomware has an increasing impact on our society, but little is known about how these cybercriminals operate, professionalize their work and put victims under pressure.
For the first time, RTL Nieuws gives an exclusive look behind the scenes:
Computers held hostage
It is Monday 8 November 2021 when MediaMarkt’s computers are suddenly locked. The company asks employees to avoid the hijacked systems and only sell products that are physically in the store. Collection and return of products is no longer possible.
According to MediaMarkt, the criminal hackers carried out a ‘highly targeted’ attack on the systems, where Windows systems were held hostage on a large scale. It concerns computers in the European branches, including 49 stores in the Netherlands.
‘Can you please answer’
On the same day, before the news of the ransomware attack became known, MediaMarkt was already talking to the cybercriminals. The company is communicating with the ransomware group Hive, which has been attacking businesses and organizations since June 2021, taking their computers and files hostage. Hive often demands millions in ransom to be paid in bitcoin.
“Hello and welcome to Hive. How can I help you today?”, it says as soon as MediaMarkt starts a chat with the cybercriminals. Ransomware gangs often respond very nicely, says Pim Takkenberg from cyber security company Northwave. He regularly negotiates with ransomware criminals for his work: “If you’re decent, you’re more likely to get paid than if you immediately start cursing and extorting. You catch more flies with a spoonful of syrup than with a barrel of vinegar .”
At the top left of the screen is the name of the victim: in this case MediaMarkt, the latest annual turnover and the number of employees. MediaMarkt asks if anyone is there, but it’s quiet for hours. “Can you please answer,” asks someone from MediaMarkt. “I want to know the offer and how we can get the files back.”
This is Hive, the infamous ransomware group
Many ransomware groups have not attacked hospitals during the pandemic, but not Hive. This makes Hive infamous in the cybercriminal world. Last August, cybercriminals held three US hospitals hostage, forcing the cancellation of surgical procedures and radiological examinations.
The ransomware group has its own website on the dark web, the hidden part of the internet where victims can go to connect with the cybercriminals. This is now completely normal, explains Takkenberg: “There are now large criminal organizations behind ransomware attacks, and almost all of them have their own environment where victims can come into contact with them.”
The credentials needed to chat with Hive are on each hostage computer: a text file on the desktop. “Your network has been hacked and all data has been encrypted,” the text file reads. “To gain access to all data again, please purchase our decryption software.” Then Hive suddenly responds again after four hours: “To make your files available again, you must pay 50 million dollars in bitcoin.”
Test a few files for free
MediaMarkt asks how it can be sure that the company actually gets all its files back. Then Hive suggests that it sends a few files made available for free as some kind of proof that Hive actually has the key to all those hostage files. The Dark web Hive website has a dedicated section for it.
“With a kidnapping you have the photo with a newspaper with the correct date on it as evidence, with ransomware you have to decrypt a few files,” explains Takkenberg. “These criminals feel they are providing you with a service, they expose vulnerabilities in your systems and demand money for it. It’s just kind of a business model for them.”
The offer then appears on the right side of the website: 50 million dollars. The address where the bitcoins are to be sent is included. There is also a button to download software that makes the computers available again, but you cannot press the button until payment is made. Criminals usually calculate the size of the ransom to be around 2 percent of the annual turnover. Takkenberg: “But often you can still negotiate 25 to 50 percent of the price.”
“We can’t trust you, so make up your mind: Either you give us a reasonable offer, or you don’t get any money at all,” says MediaMarkt. “The damage has already been done. We can’t afford to pay $50 million over the long term. Just because a company has a high turnover doesn’t mean we’re making that much.” Hive then asks MediaMarkt what it is willing to pay.
Where do ransomware criminals come from?
The majority of ransomware criminals come from Russia or a former Russian state, says Takkenberg: “About 75 percent of all ransoms go to Russian-speaking countries. The criminals often advertise on Russian forums, often look for Russian-speaking employees, and they do not attack Russian countries. In short: the Russian government will leave you alone if you do not attack Russian states.”
It stays quiet for a few days. Then MediaMarkt says it can make ‘no offer’ because the company still has a number of questions. First of all, how did Hive get in, and if paid, will it receive a “detailed overview” of how the company was hacked to close the digital holes? MediaMarkt continues: “Management does not care about the private data of our customers or employees. We would like to see an example of what data would get us in trouble if you released it. If you share this information, we will consider an offer.”
If MediaMarkt finds out on November 11 that unauthorized persons may be secretly reading the negotiations, it will ask Hive if a new username and password can be created. This information is sent to an email address specially created by MediaMarkt. After that, the negotiations continue.
MediaMarkt emphasizes that it cannot meet Hive’s ransom demand: “Due to corona and the stores that had to close, we do not have the money to pay this amount.” The company also says it is in talks with the insurance company to see if the ransom can be refunded. It asks how Hive can help make the hostage computers available and if it can still access the network.
In the background, MediaMarkt is busy restoring backups. “We have been working at full capacity to identify and fully restore affected systems,” a company spokesperson said. The company does not want to say more about the attack: “For us, the matter is resolved, and we will not make any further announcements.”
A few days later, MediaMarkt tells Hive that it is restoring the backups and asks if it can pay a lower amount if Hive makes only some of the hijacked computers available again. Then on November 22 comes the final message from MediaMarkt: that it has restored almost all systems, and what Hive now considers a reasonable amount to pay for the last computers held hostage.
“How are you feeling?” Hive asks after a few days of silence. It remains silent.
How often are payments made?
It’s hard to say. According to Chainalysis, which monitors Bitcoin transactions, around $600 million in ransoms were paid out last year. Takkenberg sees a declining trend for companies that pay: Last year it was still 80 percent of affected companies that turned to Northwave, now that figure is around 60 percent.
In the media, you often read stories about companies and organizations that refuse to pay, those who pay prefer not to disclose it. RTL News previously reported that RTL Nederland paid a ransom of 8,500 euros to the criminals behind the ransomware attack last September.
One last attempt
Hive adds MediaMarkt to its long list of non-paying victims. The names are collected on a website on the dark web. If sensitive data has also been stolen, you can download it there. At some companies you will see copies of employee passports, contracts with other organizations and other trade secrets.
On MediaMarkt, there is no data transfer button: confirmation that Hive only encrypted files and didn’t so well steal them. “This means that the criminals are missing an important means of exerting pressure,” says Takkenberg. “You see regular payments because the company is afraid that very sensitive data will be leaked, which could cause a lot of damage to its image. But if you have enough backups and no data has been stolen, then the best option is not to pay.”
MediaMarkt has not paid any ransom to the cybercriminals. In early December, after two weeks of silence, Hive makes one last attempt to get money from MediaMarkt: “Look, if you still need access, we can really talk about it.”