Spanish business networks shut down due to ransomware

Enlarge / Spanish broadcaster SER was hit by a ransomware attack on the morning of November 4, 2019, as was Spanish technology services company Everis.

A targeted ransomware attack took down the networks of at least two companies in Spain today, sending ripples to other companies as they moved to defend themselves. The targets included Everis – a major IT services and consulting subsidiary of Japan-based global communications company NTT – and radio company Sociedad Española de Radiodifusión (Cadena SER). A technician in a company told the Spanish channel ABC“We are in hysteria mode.”

Some other companies, including Spanish airport operator Aena, have cut some of their services as a precaution. They did this partly because Everis has staff on site at many Spanish companies. But the attack may have affected other companies as well, although no others have publicly acknowledged the ransomware.

The ransomware appears to be a variant of the BitPaymer family which is connected to the Dridex group malware, according to security researcher Vitali Kremez and others who have analyzed the attack.

A screenshot of the note delivered by the ransomware, published by Spanish cryptocurrency news site Bitcoin.esshows the characteristics of a BitPaymer campaign.

The ransomware note delivered to Everis.

The ransomware note delivered to Everis.

In July, researchers from endpoint protection firm Morphisec noted that Dridex was used to provide a BitPaymer variant in a campaign that targeted a supply chain service provider to attack the provider’s customers. As Ars reported last week, managed service providers have been increasingly targeted by ransomware operators, including the Oct. 22 BitPaymer attack on billing service provider Billtrust.

Spanish Department of National Security (DSN) reported the attack on SER but provided few details. “Following the protocol established in the cyberattacks, the SER saw the need to disconnect all its operating computer systems,” said a spokesperson for the DSN. The radio network continues to operate from Madrid, while technicians from local stations work to restore the systems in collaboration with the Spanish National Institute of Cybersecurity (INCIBE).