Ryuk ransomware infects hundreds of Spanish government offices

The Spanish government has revealed that the IT infrastructure of SEPE, the government labor agency, was compromised due to a ransomware attack that resulted in the complete elimination of its systems in the agency’s more than 700 offices.

“We are taking the necessary steps to restore our priority services as soon as possible, mainly with regard to the public employment service website of the State and, eventually, to restore the rest of our services,” the government agency’s report mentions.

The agency also mentioned that the deadlines for filing benefit applications at affected offices will be extended to the days necessary to restore systems.

Gerardo Gutierrez, director of the agenda, confirmed that computer infrastructure was encrypted using the dangerous variant of ransomware known as Ryuk, as well as making sure that the personal information of employees and beneficiaries of unemployment programs was not affected after the incident: “Confidential information, including payroll data and contact information, are completely safe,” the report says.

One of the first consequences that the agency detected was the delay of hundreds of thousands of appointments made through one of the main public workers’ unions in Spain. Apparently, the malware also spread beyond SEPE’s networks, eventually infecting some computers of people working from home.

About the ransomware variant, cybersecurity experts mention that Ryuk operates as a ransomware as a service (RaaS) platform and has been active at least since 2018. Specialists mention that Ryuk samples are collected on approximately 33% of each ransomware attack detected worldwide.

Attackers affiliated with this ransomware group attacked approximately 20 companies each week during the third quarter of 2020, as well as deploying a massive wave of attacks on U.S. health systems since November 2020.

Moreover, this is not the largest ransomware incident recently detected in Spain, as a few months ago it was confirmed that Everis systems, one of the world’s leading managed service providers, were compromised using a similar ransomware variant. Other public and private organizations have reported similar incidents, although no link has been confirmed with Ryuk operators.

Ransomware remains one of the main security threats for all organizations in the world, so we need updated information about it. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.