Targeted Ransomware Attacks Hit Spanish Companies Hard

A wave of ransomware attacks has been reported in Spain with several appearing to have been attacked almost simultaneously on Monday.

One of the attacked companies was Everis, one of the largest IT consulting companies and managed service providers in Spain.

The attack on Everis was targeted, which was made clear by the extension added to files encrypted by the ransomware – .3v3r1s. The dropped ransom note explained that its network was hacked and files were encrypted. No ransom amount was stated on the note. Everis was required to make contact with the attackers to find out how much they were demanding for the keys to unlock the encrypted files. Two email addresses were provided, along with a warning to “keep our contacts safe” as “disclosure can lead to impossibility of decryption.”

The attackers wanted payment of around €750,000 – $835,900 – for the keys that would enable the company to decrypt its files. It is unclear if the payment is being made or if files are being recovered from backups. The ransomware variant used in the attack is believed to be either Ryuk or BitPaymer.

Everis responded to the attack by disconnecting connections with its clients and connections between its offices while it dealt with the attack.

Meanwhile, another ransomware attack hit Spain’s largest radio station, Cadena SER. While it has not yet been confirmed whether these attacks are linked, it is possible that the radio station was attacked through Everis. Several threat groups are targeting managed service providers, as not only can the MSP be attacked, so too can all of its clients.

A statement issued by the radio station suggests that the attacks are not linked, and the timing is purely coincidental. The initial investigation results point to the infection path being a malicious file attached to an email.

Several other Spanish firms are believed to have also been attacked and some have taken action to secure their systems. AENA, Spain’s main airport operator and Accenture, have taken some services offline fueling speculation that they too had been attacked, although both have now issued statements saying they have not and that they have just taken steps to prevent an attack.

There have been various online reports suggesting the BlueKeep vulnerability was exploited in the attacks, although it would appear that these were purely ransomware attacks.

The Spanish Department of National Security has issued a statement in which the severity of the attacks was somewhat downplayed, stating that these attacks are common. The posting referred to a 2016 National Institute of Cybersecurity report that stated there have been 2,100 similar attacks to those reported by SER and Everis.

The Department of National Security has recommended all computer users follow basic cybersecurity best practices to avoid becoming a victim of a ransomware attack, such as addressing vulnerabilities by applying patches and keeping software up to date and ensuring a backup copy of all files exists to allow recovery without paying a ransom.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of