Photos from the warehouse, guidelines for application procedures and annual interviews, minutes of meetings, sales calculations, budget statements, including personal information about employees - the criminals who had sneaked into the computer system of the Tegut supermarket chain made ample use there.

The list of files that the hacker group Nefilim has been offering for everyone on its own portal in the so-called Darknet for two days is very long.

"The malicious software must have been active in the system for a while in order to transfer so much data," speculates Silvana Rößler, head of the Security Incident Response & Digital Forensics department at Networker Solutions GmbH, based in Kronberg.

She and her team have to deal with attacks similar to those on the Fulda supermarket chain on a daily basis.

She knows the malware used and also what the criminals use to extortionate it.

Rößler cannot only say who they are and from where they are up to mischief.

E-mail system affected

There are currently more than 30 groups of hackers who bring malware into circulation. Many companies have already become their victims. The procedure is basically always the same: the virus is introduced via an e-mail with a fake sender, usually an employee who accidentally lets it into the system. There the malware rummages through the programs, catches up with viruses that switch off security barriers, and often also delete the online backups. In the meantime, data theft is ongoing, and if the loot is large enough, the victim company's systems are encrypted.

The company notices the intruders in two ways: First, nothing works anymore. In the case of Tegut, according to its own information, the e-mail system was affected at the end of April, and the merchandise management system, which is used to control deliveries to the almost three hundred branches, failed completely. The customers were and still are at times in front of empty shelves. On the other hand, the hackers contact their victim by e-mail and state the price that they expect in exchange for a program to decrypt the data.

According to Rößler, it fluctuates between five to seven-digit sums. “As a rule, payment should be made in Bitcoin,” she reports. Tegut did not want to pay, as the managing director Thomas Gutberlet put on record: "We do not encourage criminal machinations and do not engage in negotiations with criminals." Instead, the company is working under pressure to rebuild the systems. According to the company, this has come a long way.

The blackmailers, however, followed up their threat and released the stolen files to anyone who is able to find them and who they consider interesting. The perpetrators even provide a brief company profile: 275 branches, part of the Swiss Migros Group, annual sales of 1.16 billion euros. They added “Part 1” to the data set, and further customer and employee data would follow. Rößler believes the hackers have data from online customers or holders of the Tegut customer card, for example. "They don't publish the most explosive material they have in the first batch."