Full Report
Fourlis Group, the operator of IKEA stores in Greece, Cyprus, Romania, and Bulgaria, has informed that the ransomware attack it suffered just before Black Friday on November 27, 2024, caused losses estimated to €20 million ($22.8M). [...]
Analysis Summary
# Incident Report: Ransomware Attack on IKEA Operator in Eastern Europe
## Executive Summary
A ransomware attack targeted the Fourlis Group, the operator of IKEA, Intersport, Foot Locker, and Holland & Barrett stores in Eastern Europe, leading to significant operational disruptions primarily affecting IKEA's Home Furnishings segment and e-commerce during late 2024 through early 2025. The incident resulted in an estimated financial impact of €20 million (approximately $23 million) due to business interruption, although the group successfully restored systems without paying the ransom and found no evidence of data exfiltration.
## Incident Details
- **Discovery Date:** Not explicitly stated, but inferred from the disclosed impact period (December 2024 onwards).
- **Incident Date:** Attack occurred sometime prior to or around December 2024.
- **Affected Organization:** Fourlis Group (IKEA, Intersport, Foot Locker, Holland & Barrett licensees).
- **Sector:** Retail / Home Furnishings.
- **Geography:** Eastern Europe (Four countries mentioned, but specific nations not listed).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to or around December 2024.
- **Vector:** Ransomware initial compromise (specific vector not detailed).
- **Details:** Unknown, but led to the encryption or disruption of key business systems.
### Lateral Movement
- **Details:** Attackers likely achieved lateral movement to disrupt store replenishment systems and halt e-commerce, though specific movement techniques are not detailed.
### Data Exfiltration/Impact
- **Details:** The incident caused temporary disruptions in store replenishment and highly impacted the IKEA segment and e-commerce operations between December 2024 and February 2025. Investigation found no evidence of personal data leakage.
### Detection & Response
- **How it was discovered:** Disruption to IKEA business operations prompted discovery.
- **Response actions taken:** The group engaged external cybersecurity experts, restored affected systems, and successfully thwarted several subsequent attack attempts. Data protection authorities were notified as required by law.
## Attack Methodology
- **Initial Access:** Ransomware deployment (specific method unknown).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed, although the attackers were eventually stopped before data exfiltration occurred.
- **Credential Access:** Not disclosed.
- **Discovery:** Not disclosed.
- **Lateral Movement:** Implied, as store replenishment and e-commerce were broadly affected.
- **Collection:** Investigation found *no evidence* of data theft or leaks.
- **Exfiltration:** Attackers were seemingly unsuccessful in exfiltrating data.
- **Impact:** Business operations disruption (store replenishment and e-commerce).
## Impact Assessment
- **Financial:** Estimated at €15 million loss until December 2024, plus €5 million into 2025, totaling approximately €20 million ($23 million).
- **Data Breach:** Investigation confirmed *no evidence* of personal data leakage. Affected data unavailability was temporary and restored quickly.
- **Operational:** Significant temporary disruptions to IKEA store replenishment and e-commerce activities spanning December 2024 through February 2025.
- **Reputational:** Minor reputational risk associated with the operational downtime, though public transparency via press release mitigated some fallout.
## Indicators of Compromise
- **Network indicators:** None specified (Defanged).
- **File indicators:** None specified.
- **Behavioral indicators:** System encryption/disruption linked to ransomware deployment.
## Response Actions
- **Containment measures:** Not explicitly detailed, but implied rapid action to stop further impact.
- **Eradication steps:** Restoration of affected systems utilizing external cybersecurity experts.
- **Recovery actions:** Systems were restored quickly; several subsequent attacks were successfully thwarted.
## Lessons Learned
- The company resisted paying the ransom, relying on established recovery procedures and expert assistance.
- The incident highlights the critical nature of supply chain and logistics systems (store replenishment) to retail operations.
- Despite a significant operational impact, the final forensic report indicated success in preventing data exfiltration.
## Recommendations
- Enhance network segmentation between core operational technology (OT)/logistics systems and standard IT infrastructure to limit the blast radius of future ransomware events.
- Review and strengthen endpoint detection and response (EDR) capabilities to identify and stop initial ransomware execution faster.
- Conduct proactive threat hunting against post-exploitation activity following restoration, given that several subsequent attack attempts were thwarted.