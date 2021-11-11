The MediaMarktSaturn group has suffered a heavy ramsonware attack in recent days. It is difficult to say who did it: someone from Holland is ready to believe that it is the Hive group, which would have asked for 240 million dollars in bitcoin, however at the moment there is no claim on the official “pr” page of the hacker group. The signature left on some clients, however, is that of the group that has already hit several times and has not even spared the hospitals:

“Your network has been hacked and all data has been encrypted. To regain access to all your data, you must purchase our decryption software“

The request for 240 million dollars is obviously aligned with that of a group that loses money every minute that stands still: with 20 billion euros in turnover and over 1000 stores scattered all over the world, MediaMarktSaturn is a precious morsel. According to some sources, the high demand was made to try to close at 50 million dollars, the price necessary to obtain the decryption key that allows the systems to return to operation and get all the data back.

At the moment it is not even possible to know if the data has been exfiltrated, even if the timing suggests an organized and meditated attack for some time that should have taken place when MediaMarktSaturn could not afford a block at all, or Black Friday.

The absence of a claim by the group could also be read as an ongoing negotiation, because it is a real struggle against time to get back up and running as soon as possible. We wrote MediaMarktSaturn and not MediaWorld, because the attack started from the Netherlands, it seems with classic infiltration techniques, and then spread to the central structure. Large companies tend to centralize everything, and this has also led to various branch structures, including Italian ones, to be not so much damaged as disconnected.

MediaWorld Italia issued the following statement: “The IT systems of MediaMarktSaturn Retail Group and its local organizations, including MediaWorld in Italy, were the subject of a targeted action. The company immediately informed the competent authorities and is working tirelessly to identify the systems involved and implement any and all appropriate measures in order to resolve the situation as soon as possible. In the shops, which are always open to the public and operational, there may be limited access to some services. MediaMarktSaturn is actively working to ensure that all services are again available without any limitation in the shortest possible time. The company will provide information on further developments on the topic. “

In Italy they have disconnected many terminals, to avoid the spread of ransomware, and are thus forced to work blindly, without communication with part of the servers that communicate with the German servers, those of the parent company. MediaWorld goes, shops go but some services go to pieces or are not available.

In these cases it is often easy to point the finger at the IT management of large companies, but observed from the outside, things are often simpler than the real situation. As we understand from the huge number of attacks made in recent years, especially in the last year, it is increasingly difficult to manage the security of large companies that are becoming more and more digital. Often these companies have a reliable and experienced IT department, but despite this the “business” forces to transform all the infrastructure into a house of cards (or servers), with platforms that end up on platforms.

The ideal situation would be to delete everything, and rebuild the IT infrastructure instead of adding new bricks on old bricks, but this is not always possible. Nobody can afford a block of months. Penetration tests should also be carried out continuously on services, but the suspicion is that they are often not done precisely because the result is obvious. Hopefully, the situation for MediaMarkt will be resolved as soon as possible.