[BreachExchange] Targeted Ransomware Attacks Hit Several Spanish Companies

Destry Winant destry at riskbasedsecurity.com
Wed Nov 6 09:31:37 EST 2019


https://thehackernews.com/2019/11/everis-spain-ransomware-attack.html

Everis, one of the largest IT consulting companies in Spain, suffered
a targeted ransomware attack on Monday, forcing the company to shut
down all its computer systems until the issue gets resolved
completely.

Ransomware is a computer virus that encrypts files on an infected
system until a ransom is paid.

According to several local media, Everis informed its employees about
the devastating widespread ransomware attack, saying:

"We are suffering a massive virus attack on the Everis network. Please
keep the PCs off. The network has been disconnected with clients and
between offices. We will keep you updated."


"Please, urgently transfer the message directly to your teams and
colleagues due to standard communication problems."


According to cybersecurity consultant Arnau Estebanell CastellvĂ­, the
malware encrypted files on Everis's computers with an extension name
resembling the company's name, i.e., ".3v3r1s," which suggests the
attack was highly targeted.

At this moment, it's unknown which specific ransomware family was used
to target the company, but the attackers behind the attack reportedly
demanded €750,000 (~USD 835,000) in ransom for the decryptor, a
company insider informed bitcoin.es site.

However, considering the highly targeted nature of the attack, the
founder of VirusTotal in a tweet suggests the type of ransomware could
be BitPaymer/IEncrypt, the same malware that was recently found
exploiting a zero-day vulnerability in Apple's iTunes and iCloud
software.

Here's the ransomware message that was displayed on the screens of the
infected computers across the company:

Hi Everis, your network was hacked and encrypted.
No free decryption software is available on the web.
Email us at sydney.wiley at protonmail.com or
evangelina.mathews at tutanota.com to get the ransom amount.
Keep our contacts safe.
Disclosure can lead to the impossibility of decryption.


What's more? It seems like Everis is not the only company that
suffered a ransomware attack this morning.

Some other Spanish and European companies have reportedly also been
hit by a similar ransomware malware during the same period, of which
the national radio network La Cadena SER has confirmed the cyber
attack.

"The SER chain has suffered this morning an attack of a computer virus
of the ransomware type, file encrypter, which has had a serious and
widespread affectation of all its computer systems," the company said.


"Following the protocol established in cyberattacks, the SER has seen
the need to disconnect all its operating computer systems."


The company has also informed that its "technicians are already
working for the progressive recovery of the local programming of each
of their stations."

At the time of writing, it's unclear if the hackers behind these
ransomware attacks are the same, how the malware infiltrated the
companies in the first place and did it contain wormable capabilities
to successfully spread itself across the network.

Though it's unconfirmed, some people familiar with the incident also
suspect attackers might have used the BlueKeep RDP vulnerability to
compromise the company's servers, whose first mass exploitation
activity was spotted in the wild just yesterday in a separate
campaign.

The Hacker News is in contact with some of the targeted company's
employees and will update you with more information about the incident
shortly.

Meanwhile, the Spanish Department of Homeland Security has also issued
a warning about the ongoing cyber attack and recommended users to
follow basic security practices like keeping their systems updated and
having a proper backup of their important data.


More information about the BreachExchange mailing list