Targeted Ransomware Attacks Hit Several Spanish Companies

Posted by & filed under Security Alerts.

Everis, one of the largest IT consulting companies in Spain, suffered a targeted ransomware attack on Monday, forcing the company to shut down all its computer systems until the issue gets resolved completely.

According to several local media, Everis informed its employees about the devastating widespread ransomware attack, saying:

“We are suffering a massive virus attack on the Everis network. Please keep the PCs off. The network has been disconnected with clients and between offices. We will keep you updated.”

“Please, urgently transfer the message directly to your teams and colleagues due to standard communication problems.”

According to cybersecurity consultant Arnau Estebanell Castellví, the malware encrypted files on Everis’s computers with an extension name resembling the company’s name, i.e., “.3v3r1s,” which suggests the attack was highly targeted.


At this moment, it’s unknown which specific ransomware family was used to target the company, but the attackers behind the attack reportedly demanded €750,000 (~USD 835,000) in ransom for the decryptor, a company insider informed bitcoin.es site.

However, considering the highly targeted nature of the attack, the founder of VirusTotal in a tweet suggests the type of ransomware could be BitPaymer/IEncrypt, the same malware that was recently found exploiting a zero-day vulnerability in Apple’s iTunes and iCloud software.

Here’s the ransomware message that was displayed on the screens of the infected computers across the company:

Hi Everis, your network was hacked and encrypted.
No free decryption software is available on the web.
Email us at sydney.wiley@protonmail.com or evangelina.mathews@tutanota.com to get the ransom amount.
Keep our contacts safe.
Disclosure can lead to the impossibility of decryption.

What’s more? It seems like Everis is not the only company that suffered a ransomware attack this morning.

Some other Spanish and European companies have reportedly also been hit by a similar ransomware malware during the same period, of which the national radio network La Cadena SER has confirmed the cyber attack.

“The SER chain has suffered this morning an attack of a computer virus of the ransomware type, file encrypter, which has had a serious and widespread affectation of all its computer systems,” the company said.

“Following the protocol established in cyberattacks, the SER has seen the need to disconnect all its operating computer systems.”

The company has also informed that its “technicians are already working for the progressive recovery of the local programming of each of their stations.”

At the time of writing, it’s unclear if the hackers behind these ransomware attacks are the same, how the malware infiltrated the companies in the first place and did it contain wormable capabilities to successfully spread itself across the network.

Though it’s unconfirmed, some people familiar with the incident also suspect attackers might have used the BlueKeep RDP vulnerability to compromise the company’s servers, whose first mass exploitation activity was spotted in the wild just yesterday in a separate campaign.

The Hacker News is in contact with some of the targeted company’s employees and will update you with more information about the incident shortly.

Meanwhile, the Spanish Department of Homeland Security has also issued a warning about the ongoing cyber attack and recommended users to follow basic security practices like keeping their systems updated and having a proper backup of their important data.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.