Are cybercriminals turning away from the US and targeting Europe instead?

Are cybercriminals turning away from the US and targeting Europe instead?

Significant cyberattacks against critical targets in Europe have doubled in the past year, according to EU figures obtained by CNN. And with the announced pressure from the US against major ransomware gangs we can expect these figures to go up even more.

It’s also clear from recent attacks that the holiday season and the associated spending sprees make online retailers an attractive target for cybercriminals. Last week, we reported about UK based jewelry house Graff that was a target of Conti ransomware. But more and more European firms are showing up on the target list. Below you can see some examples from the last few days.

Angling Direct

The UK’s biggest fishing shop, Angling Direct has been hacked, with its website redirecting shoppers to an adult website. While this may seem a prank at first, there are signs that the hacker gained access to a few key systems of the company. Most people trying to access the site saw a warning like this:

redirect warning for wrong certificate

On top of that, Angling Direct’s Twitter account was taken over, and it would seem that the hacker has at least some access to Angling Direct’s mail server, as they have claimed a local mail account as their own.

Twitter message from the hacker

The company said it has brought in cybersecurity experts to tackle the problem, and alerted authorities. Angling Direct said it is too early to tell if any personal data has been compromised, but reassured customers that no payment data could have been leaked.


Dutch electronics retail giant MediaMarkt has fallen victim to the Hive ransomware group. The brick and mortar shops of MediaMarkt and Saturn, which can be found in the Netherlands, Belgium, Luxemburg, and Germany, are still open for business, as are their online shops, but the computer systems in the physical shops seem to be the ones that were encrypted. The cash registers cannot accept credit cards or print receipts at affected stores.

The systems outage is also preventing returns due to the inability to look up previous purchases. Employees were told not to use the computers in the shops, disconnect the cash registers from the network, and to refrain from rebooting systems.

While the functionality of its online shop seems unaffected, shoppers are shown a message that delivery may be delayed due to “technical problems.”


According to some sources, MediaMarkt is negotiating with the attackers about the 43 million Euro ransom (close to US$50 million) in Bitcoin.

Let’s go to Europe

For now it is hard to tell whether the increased amount of attacks in Europe is some sort of waterbed effect due to the US government’s harder stance against cybercriminals and ransomware in particular. It could be that it is simply ransomware groups expanding to new markets due to more competition among themselves and greener pastures on the other side of the pond. We have already seen a ransomware affiliate group called Lockean that concentrates on French targets.

In the ransomware industry, the time of “spray and pray” is long gone. Most of the well known groups know exactly which kind of targets they want to go after and even when the best time to strike is. So it’s not unlikely that we will see more of these attacks on online shops and large retailers with the shopping season around the corner.

For retailers it is time to shore up your defenses if you want to keep on serving your customers.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.