Funke Media Group suffers nationwide ransomware attack in Germany

Funke Media Group suffers nationwide ransomware attack in Germany

On December 22, Germany’s third largest publisher fell victim to a cyberattack that affected systems in offices all around the country. The Funke Media Group publishes dozens of newspapers, like Berliner Morgenpost, Hamburger Abendblatt, and Bergedorfer Zeitung, as well as magazines, several local radio stations, and online news portals. It reaches over 3 million readers on a daily basis.

The impact of the ransomware attack

The attack hindered work at the newspaper editorial offices and halted some of its major printing houses. As a result, subscribers received only emergency issues of a few pages. Because of this impact on the printed editions of the newspapers, the publishing house has decided to temporarily remove the paywall that is normally active on its news site, so everyone has full access to all of its articles. Unlike the newspapers, the publishing of the magazines that belong to the Funke Media Group are not expected to be delayed.

The press release by Funke states that several of its main systems in offices around Germany had been encrypted. This would indicate a ransomware attack. In a later press release, Funke stated that over 6000 laptops and thousands of other systems (endpoints and servers) were affected, and that its IT staff worked with the help of cybersecurity professionals throughout the holidays to get as many systems as possible up and running again. The attack is under investigation by police.

Getting the damage undone

The IT specialists have organized wipe and rebuild lines in the style of a digital car wash. These are functional in three of the publisher’s main locations where all the laptops are checked, cleaned, re-installed, and then returned to users. On January 4, some 1200 endpoints had undergone this procedure.

As we’ve pointed out many times before, the damage that’s done by ransomware is far greater than the amount of the ransom. It takes huge efforts to get a large-scale operation up and running again, especially in this case where the victim is a wide-spread and highly computerized organization like a major publisher.

Leaked data

A lot of the major current ransomware families threaten to publish breached data in order to create greater leverage for the victim to pay the ransom. With over three million subscribers and maybe even some interesting information unearthed by journalists, the obtained information could be very costly.

Since it’s unknown which type of ransomware was used in this attack, it is not yet possible to tell whether any data were exfiltrated during the attack, and whether any such data will be published if the Funke Media Group refuses to pay the ransom. Of course, we will keep you posted about any developments.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.