UPDATED 13:50 BST 4/11/19 with more details, government comment.
Spain has been hit by a wave of ransomware attacks today, with NTT
Data-owned Everis – a major IT consultancy – and national radio station SER among those reported to be affected.
Embarrassingly for Everis, it apparently offers its own “seamlessly integrated” cybersecurity services, including “security auditing, pentesting, vulnerability analysis and any other service focused on the proactive identification of vulnerabilities and weaknesses.”
The company has yet to respond to requests for comment.
“We are in hysteria mode” a technician from one of the companies hit told Spanish news media this afternoon.
The specific type of ransomware payload or the vulnerability they are exploiting have not yet been reported, but has various been named as Ryuk and Bitpaymer. Speculation is rife that the attack involves the exploitation of the so-called Bluekeep vulnerability, after an explosion of Bluekeep malware was detected over the weekend.
— Miguel (@Dormidera) November 4, 2019
Spain’s largest radio station SER (Sociedad Española de Radiodifusión) confirmed it had been hit in a statement this afternoon saying it had suffered an attack “of the ransomware type… which has had a serious and widespread effect on all of all its computer systems.”
UPDATED 14:35 BST 4/11/19 with Aena comment.
Major airport operator Aena confirmed to Computer Business Review that it categorically had not been impacted by the attacks, but had just taken precautionary measures to protect its networking systems. Despite reports to the contrary, Accenture also insisted it had not been affected.
SER, meanwhile, is being “kept running by its headquarters in Madrid, supported by autonomous teams”, the company said in a Spanish language statement.
“The technicians are already working for the progressive recovery of the local programming of each of their stations.”
The country’s Department of Homeland Security played down the attacks, saying in an otherwise detail-free blog post that “this type of attack occurs quite frequently. In 2016, the National Cybersecurity Institute handled some 2,100 similar incidents…
“It does not compromise data security nor is it a data leak.”
The department confirmed SER had been hit and that it was a ransomware attack: “The infection path appears to be a file attached to an email (” La vía de infección parece ser un fichero adjunto a un correo electrónico”).