At least two companies in Spain have suffered a cyberattack that has blocked their computer systems since Monday morning. The Cadena SER and Everis, a technology consultant, are the two known victims of the attack. Throughout Monday, other companies went out to deny having suffered a cyber attack. The Incibe, the body responsible for cybersecurity of Spanish private companies , has not yet given details about the number of people affected or the characteristics: "It is confidential information," he told this newspaper.
As EL PAÍS has been able to confirm from sources of the SER, the virus involved in the attack is Ryuk, the same one that attacked the Jerez City Council on September 27. Ryuk is a ransomware, a program that encrypts victims' files and asks for an economic rescue to allow their recovery. Ryuk appeared in August 2018 and is run by a Russian group called Grim Spider, according to Crowdstrike. Until January 2019, it had achieved 3.5 million euros in 52 transactions. "They are professionals in the sector, with years dedicated to bank fraud," says an expert in cybersecurity.
Cajamar and ING have denied this newspaper that they have been victims of any cyberattack, despite having admitted problems in their lines of communication, reports Íñigo de Barrón . The insurance company Mapfre has also denied it and insisted that they have their teams ready in case a new wave arrives. KPMG and Accenture have also come out publicly to deny different information that implied them.
Incibe has been the only entity that has officially admitted the attack: "We work on mitigating and recovering the incident in coordination with the companies affected," he said in a public statement.
The SER chain detected the attack at 2 in the morning. "Since then we have focused on preserving the broadcast, what we have achieved," sources at the station's address say. The company alerted the corresponding public bodies, which confirmed that the attack did not respond to political connotations. "It is part of cybercrime to use and is an attack on European companies," say the same sources. The chain asked its workers not to use any of the company's computer equipment or the Wi-Fi network to connect to the Internet.
In the SER they have not received the extension message ".txt" in which the rescue is requested, as is usual in Ryuk's attacks. There is therefore no economic amount linked to the attack. Yes there was a file with the name of the virus and an email account. It is common for Grim Spider to calculate the reward he wants to receive based on the size and value of the victim company.
Although only the name of two companies victims of the attack is known, it is very likely that there are more affected that prefer not to be identified, hence the caution of Incibe. "It is a rather massive attack," the sources of the BE have indicated to this newspaper. It is possible that new cases may appear in the next few days or that Incibe may end up giving a more complete number of those affected.
A FRENCH TV, ALSO A VICTIM
On October 14, the French television network M6, the largest private group in the country, was also the victim of a ransomware attack during a weekend. Like the SER, the station managed to stay live on its ten television and radio channels. The weather channel, the American channel dedicated to time, did not have the same fate, which disappeared from the antenna for an hour and a half last April due to a ransomware attack.
COMMENTS