Ransomware Assault Shakes Morocco’s Media Landscape: Bashe Group Claims 30GB Data Breach at Iconic 2M TV Channel

Background on 2M Maroc and Its Role in Moroccan Society

2M Maroc, operating under the domain 2m.ma, stands as one of the most influential private television channels in the Kingdom of Morocco. Launched in 1989, the broadcaster has grown from its early days as a secondary public channel into a major multimedia entity that commands a significant share of the national audience. Based in Casablanca, 2M delivers a wide array of programming that includes daily news bulletins, in-depth current affairs shows, popular entertainment series, sports coverage, and cultural documentaries.

The channel plays a central role in shaping public discourse within Morocco. Its news operations often cover both domestic developments and international stories with a focus on North African and Arab world affairs. Over the decades, 2M has built strong relationships with viewers across urban and rural areas, as well as with the large Moroccan diaspora communities in Europe and North America. Its digital platforms, including website streaming and social media channels, have further extended its reach in an increasingly connected society.

As a media organization, 2M handles vast quantities of sensitive information on a daily basis. This includes confidential correspondence with sources, detailed financial and advertising records, employee databases, and archives of investigative journalism materials. Such data makes the broadcaster a high-value target for cybercriminals seeking either financial profit through extortion or opportunities to cause reputational damage.

Details of the Claimed Breach by Bashe

On March 26, 2026, the ransomware group known as Bashe, also operating under the alias APT73, publicly announced that it had successfully breached the internal networks of 2M Maroc. The group claimed to have exfiltrated approximately 30 gigabytes of sensitive company data. Shortly after the claim, Bashe posted a ransom note on its leak site, stating that the full dataset would be published unless representatives from the television channel contacted them through designated communication channels to negotiate terms.

The threat actor’s message was clear and time-bound: “The full leak will be published soon, unless a company representative contacts us via the channels provided.” Cybersecurity monitoring platforms quickly picked up the claim, noting the incident as part of a series of alleged attacks by the same group on Moroccan entities around the same period. As of the latest available information, 2M Maroc has not issued any official public confirmation or denial of the breach, which is a common initial response while internal investigations are underway.

Technical teams at the broadcaster are reported to be working around the clock to assess the extent of any potential intrusion, contain possible ongoing threats, and secure remaining systems. The absence of immediate confirmation leaves many questions unanswered regarding the exact methods used by the attackers or the precise nature of the compromised data.

Nature of the Stolen Data and Associated Risks

According to reports circulating in cybersecurity circles, the allegedly stolen material could encompass a broad range of internal records. Potential categories include internal documents and email correspondence, financial records and transaction histories, employee personal information such as identification details and contact records, as well as journalist contact lists and source directories.

The exposure of employee data raises serious concerns about identity theft, phishing campaigns targeting staff members, or even physical safety risks in extreme cases. For a media organization, the compromise of source lists could be particularly damaging, as it might deter future whistleblowers or confidential informants from coming forward. Financial records, if leaked, could reveal advertising contracts, operational budgets, or other commercially sensitive information that competitors or malicious actors might exploit.

Beyond immediate data loss, the breach carries significant reputational implications. Viewers and stakeholders may question the channel’s ability to safeguard information, which in turn could affect public trust in its journalistic integrity. In the media sector, where credibility is a core asset, even the perception of a security lapse can lead to long-term consequences.

Profile and Tactics of the Bashe Ransomware Group

Bashe, which has also been referred to as APT73 and previously operated under names such as Eraleig or Eraliegn, first gained attention in the ransomware landscape around 2024. The group is known for employing double-extortion techniques, whereby attackers not only encrypt victim systems but also steal data and threaten its public release if ransom payments are not made.

Researchers have observed that Bashe maintains professional-grade leak sites hosted on the Tor network and communicates demands in a structured manner designed to increase pressure on victims. The group has targeted organizations across various sectors and geographies, though recent activity appears to include multiple claims against entities in Morocco within a short timeframe.

In the case of 2M, the attackers followed a familiar pattern of rapid public disclosure of their claim followed by a deadline for response. This tactic aims to force quick decision-making under duress while generating media attention that further amplifies the pressure on the victim organization.

Operational Impact on 2M Maroc

Should the breach be confirmed, the operational fallout for 2M could be substantial. Media companies rely heavily on digital systems for content production, archiving, audience analytics, and real-time broadcasting coordination. Any disruption to these systems, whether through encryption or as a precautionary measure during investigation, can affect programming schedules and internal workflows.

Journalists and production teams may face temporary restrictions on accessing certain databases or communication tools while security reviews are conducted. Advertising and commercial departments could encounter challenges in managing client relationships if financial data integrity comes into question. Moreover, the need to allocate significant resources toward incident response diverts attention and budget from core content creation activities.

Longer-term, the incident may prompt a comprehensive overhaul of cybersecurity protocols at the broadcaster, including enhanced employee training, stricter access controls, and investment in advanced threat detection technologies.

Cybersecurity Challenges Facing Media Organizations in North Africa

The alleged attack on 2M highlights broader vulnerabilities within the media and broadcasting sector, particularly in regions experiencing rapid digital growth. Moroccan media outlets have expanded their online presence and data-driven operations in recent years, yet this expansion has not always been matched by equivalent advancements in cyber defenses.

High-visibility organizations such as national television channels often become symbolic targets. Successful attacks against them can serve dual purposes for threat actors: generating ransom revenue while also drawing international attention to their capabilities. The concentration of valuable data within relatively centralized broadcasting infrastructures further increases the potential impact of any single breach.

Experts emphasize that media companies must treat cybersecurity as a strategic priority rather than a secondary concern. Regular vulnerability assessments, segmented network architectures, robust backup strategies with offline copies, and incident response rehearsals are essential components of a resilient defense posture.

Regional Context and Similar Incidents

The claim against 2M Maroc occurs alongside reports of Bashe targeting other Moroccan organizations in the same period, including telecommunications providers and regulatory bodies in the audiovisual sector. This clustering of activity suggests a focused campaign or opportunistic exploitation of regional networks that may share certain technological or supply-chain similarities.

Morocco continues to advance its digital economy through national initiatives aimed at expanding connectivity and modernizing public services. While these efforts bring clear benefits, they also expand the overall attack surface for cyber adversaries. The media sector, which serves as both a user and disseminator of information about digital risks, finds itself in a position where it must lead by example in adopting strong protective measures.

Immediate Response Measures and Future Outlook

In the wake of the claim, 2M’s internal response is likely centered on forensic analysis to determine whether and how systems were accessed. Collaboration with external cybersecurity specialists and coordination with relevant national authorities would be standard procedure in such situations. Legal teams may also be reviewing notification obligations under applicable data protection regulations.

For the broader industry, this case serves as a reminder of the persistent and evolving nature of ransomware threats. Organizations are encouraged to review and strengthen their defenses proactively rather than reactively. As digital transformation accelerates across North Africa, the ability to protect sensitive information will increasingly determine the sustainability and trustworthiness of media institutions.

The coming days and weeks will likely bring further clarity regarding the 2M incident as investigations progress and any potential data leaks are monitored. In the meantime, the event underscores the critical intersection between media operations and cybersecurity in today’s interconnected world.