Spain under massive ransomware attack; multiple companies affected

Digital forensics specialists reported a massive ransomware campaign that has infected the networks of some major companies in Spain, including broadcaster Cadena SER and consulting firm Everis. According to reports, the attacks have been serious enough to deeply affect operations in both organizations, which report multiple outages and system failures.

Failures in the broadcaster’s IT systems were even reported by listeners, who began reporting the problem via Twitter. The company subsequently posted a statement on its official website, mentioning: “We have made the decision to disconnect all our operating computer systems. The broadcast will continue uninterrupted through the headquarters in Madrid; our IT team is already working on restoring activities and retrieving compromised information.”

As reported by digital forensics experts, as well as some local media, the company has already started with an incident recovery plan; part of this plan involves implementing some measures that all employees of the company must comply with, such as:

  • Do not use PRISA computer equipment (including laptops and desktop PCs)
  • For no reason should employees access any internal WiFi network
  • In case an employee needs to access their Outlook 365 email account, they must do so from a computer or mobile device that is not connected to the company’s networks

On the other hand, Everis employees have been instructed not to connect to the company’s internal networks, and they will need to keep their devices turned off, at least for now. Even in some areas of the company the activities were completely interrupted, so employees were sent back home.

A screenshot showing the ransom note

According to reports from digital forensics experts, only a black screen with the ransom note of the hackers appears on the computers compromised during this incident. In the message, the attackers claim that there is no tool to decrypt this ransomware available, so victims will have to pay the demanded ransom.

Although there is still no official news of other victims of this attack, local media report that other companies, such as KPMG and Accenture, may have been affected as well. Both companies have already issued statements mentioning that so far there are no indications of any ransomware infection on their systems.

Each company is responsible for the way it addresses a cybersecurity incident, however, digital forensics specialists from the International Institute of Cyber Security (IICS) recommend never paying the ransom to hackers, as there is nothing that ensure that threat actors will honor their part of the deal and hand over the keys to remove encryption from our devices. Another key recommendation is to report such crimes to the competent authorities; otherwise the authorities would have no evidence to try a criminal in the event of an arrest.