More and more often. More and more greedy. Criminal hackers are targeting companies and public institutions and often threaten to publish the data of uninvolved customers. In addition to the electronics store chain MediaMarktSaturn, the stock and crypto investment broker Robinhood, whose app is particularly popular with young people, has now also been hit in the USA. The IT service provider Medatixx, which supplies one in four medical practices in Germany with software, also reported an attack.

As with most cyberattacks in recent weeks and months, it's all about money. According to the company, the Robinhood hackers are now in possession of the email addresses of around five million customers, and the full names of two million of them have also been captured. This combination can in turn be used to generate dangerous phishing emails in order to steal passwords and other sensitive information from customers.

The US broker can at least continue to offer its services in full, even if the hacker attack has damaged its image and pushed its own share price down.

Industry giants affected

MediaMarktSaturn's electronics stores were hit harder because the attack massively disrupted day-to-day business. The industry leader was hit by ransomware on Monday night, which encrypted the data of over 3,000 servers in just a few minutes. This paralyzed the Group's entire merchandise management system. In Media Markt and Saturn stores, it was only possible to pay with cash because it was no longer possible to debit cards. Gift vouchers could not be redeemed and warranty claims could no longer be processed.

According to an unconfirmed report by the online magazine Bleepingcomputer, the blackmailers initially demanded a ransom of 240 million US dollars for the release of the data with the help of the malware Hive, but then reduced their unrealistically high demand. MediaMarktSaturn now faces the challenge of restoring the systems from backups that are hopefully still usable.

However, it remained unclear on Tuesday whether the attackers had also copied the data before encrypting it, according to the report. Hive is known for 'double extortion', in which victims are not only blackmailed with the encrypted data, but also threatened with the publication of copies of the data. Security expert Rüdiger Trost from F-Secure fears the worst: "We can assume that the attackers have been active in the network for a very long time and have chosen the time and target systems carefully."

Bitcoin as the currency of choice

Ransomware has been considered the most serious threat to cyber security for years, partly because extortion is a particularly lucrative business. Settlements are often made in the digital currency Bitcoin: according to the US Treasury Department, the total value of suspicious Bitcoin activity reported in connection with ransomware in the first six months of 2021 amounted to USD 590 million. This figure is higher than the $416 million reported for the whole of 2020.

But despite constant reminders from the US authorities and the German Federal Office for Information Security (BSI) about the tense security situation, criminals are still managing to increase their strike rate. There are several reasons for this. Firstly, many companies and public institutions do not have their IT systems under control. Security updates are not installed at all or are delayed. After a cyber attack on the Berlin Court of Appeal, experts even recommended completely replacing the ailing IT infrastructure.

"Attacks are increasingly aimed at large and therefore lucrative targets," says expert Trost. Beyond the large companies and headlines, however, things are not looking any better. "On the contrary: SMEs are being attacked more and more frequently. They are less well protected and don't defend themselves as vigorously. And there are more and more cyber criminals carrying out ransomware attacks."

At the same time, attackers no longer need to be technical experts to launch cyberattacks. Ransomware can now be booked as a service online. The attackers share the extorted money with the hackers who developed the malware.

Lax persecution - attacks tolerated by the state

However, criminals also benefit from the fact that ransomware attacks are not combated decisively. Many attacks originate in Russia or Eastern Europe. According to security experts, however, it is not possible to draw a clear line between criminal hacker groups and state-supported cyber operations, particularly in Russia. They accuse the Russian government of often tolerating criminal activities as long as they are aimed at foreign countries. Russian President Vladimir Putin denies this.

However, investigators from Europe, the USA and other parts of the world have now succeeded in tracking down suspected members of the hacker group REvil, which is primarily located in Eastern Europe. The US Department of Justice announced that a Ukrainian suspected of being behind the major cyberattack on the American IT service provider Kaseya, among other things, had been arrested in Poland. At the beginning of July, hundreds of companies in the USA and other countries were attacked with blackmail software via a vulnerability at Kaseya. The police authority Europol announced in The Hague that two people had been arrested in Romania for allegedly carrying out the same software attacks.

For security expert Trost, the strike against REvil is a turning point: "Cyber criminals must be careful not to act too brazenly in future. Otherwise, above a certain threshold, you have to reckon with the USA and its allies. And who wants to be hunted by the US for the rest of their life?"