Ransomware Group Claims Breach of Pro-Orbán Hungarian Media Firm

What happened

The World Leaks cyber-extortion group has claimed responsibility for a ransomware attack on Mediaworks, a Hungarian media company widely regarded as part of the pro-government media ecosystem aligned with Prime Minister Viktor Orbán. The group released approximately 8.5 terabytes of allegedly stolen data on its dark web site last week, with local media outlets reporting the leaked material includes payroll records, contracts, financial statements, and internal communications.

Mediaworks confirmed the incident on Friday, acknowledging that a significant amount of illegally obtained data may have come into the possession of unauthorized persons and stating it had launched an investigation. The company urged journalists not to report on the leaked material, arguing that using data obtained through criminal means could itself constitute a crime under Hungarian law. Despite the warning, several independent Hungarian outlets published reports based on the leaked data, including coverage of notes from a January 2025 editorial meeting that allegedly referenced contacting Moscow for assistance with articles discrediting Ukrainian President Volodymyr Zelensky. Mediaworks threatened legal action against outlets that published the material. The authenticity of the leaked data and the reported memo has not been independently verified.

World Leaks emerged in early 2025 as a rebrand of the Hunters International ransomware operation. Unlike traditional ransomware groups, it focuses on data theft and extortion rather than encrypting systems, threatening to publish stolen data unless victims comply. The group has primarily targeted organizations in the United States and Europe, and the Mediaworks attack appears to be its first known operation in Hungary.

Who is affected

Mediaworks employees, journalists, and business partners whose personal and financial data appears in the leaked files face direct exposure. The broader impact extends to the Hungarian media landscape, where the political sensitivity of the alleged editorial content has drawn significant public attention following Orbán’s recent electoral defeat to the opposition.

Why CISOs should care

The Mediaworks breach illustrates two converging trends. First, World Leaks and similar data-extortion operations that skip encryption in favor of pure exfiltration and publication present a threat profile that backup-focused ransomware defenses do not address. If there is nothing to decrypt, there is nothing for backups to fix. Second, the political dimension of the leaked content demonstrates that media organizations, particularly those with government or geopolitical affiliations, face threat actors motivated by more than financial gain. The strategic value of the data itself can make media companies high-priority targets regardless of their technical security posture.

3 practical actions

1. Treat data exfiltration prevention as a distinct control from ransomware recovery: World Leaks does not encrypt systems. Organizations that have invested heavily in backup and recovery capabilities as their primary ransomware defense have no equivalent control against a group whose entire leverage is publication of stolen data. Data loss prevention controls, egress monitoring, and network segmentation that limits lateral movement before exfiltration are the relevant defenses here.
2. Review access controls and data classification for sensitive internal communications and financial records: The leaked Mediaworks data reportedly includes internal editorial communications, payroll records, and financial statements. Assess whether your organization’s most sensitive internal data is subject to access controls proportional to its sensitivity, and whether bulk exfiltration of that data would be detectable before 8.5 terabytes left your environment.
3. Assess the threat model for organizations with geopolitical or government affiliations: Media organizations, think tanks, NGOs, and companies with visible political or government alignment face targeting from threat actors with motivations beyond financial extortion. Review whether your current threat model accounts for adversaries who may value the content of your data for strategic or reputational purposes, and whether your detection capabilities would identify targeted reconnaissance of high-sensitivity internal systems.