Is WannaCry still alive? Ransomware hits Spanish companies


Targeted ransomware attacks on two victims from Spain – Everis IT consultancy firm and leading radio network Cadena SER

Ransomware hit two major companies in SpainThe first Monday of November, 2019 came with huge news about the targeted cryptovirus attack on two major Spanish companies.[1] Both companies reacted very quickly, and informed their employees to shut down the computers, disconnect devices from the internet to avoid further infection.[2]

Everis firm suffered the most because the company has almost 25 000 workers across 18 countries. Based on unique features revealed from the leaked ransom note, it has already been determined that the company got affected by a version of IEncrypt ransomware aka BitPaymer.[3]

However, Cadena SER was affected by the malware which hasn’t been disclosed. After the chain suffered an attack, many files got encrypted, so the radio station needed to disconnect all computers, and let technicians start their work on recovery. The Department of Homeland Security[4] confirmed the ransomware incident in radio station servers, and the INCIBE – cybersecurity institute is still working on the encrypted data and trying to get the system back to work. 

Details leading to IEncrypt ransomware case 

Since the ransom note that was delivered to the encrypted computer from Everis got leaked, researchers had an opportunity to investigate further and determine the particular malware that has affected the network. The ransomware encrypted various files on the company’s systems and marked them with .3v3r1s extension. After looking at it closer, it makes obvious that the attack is set against a specific company. 

Once the ransom note got placed on the system, the message informed victims about the incident and provided contact details to reach the developers. Although these emails, [email protected] and [email protected], typically change per attack, that pattern seemed familiar and resembled IEncrypt alongside with the personalized file marker.

According to cryptocurrency service, attackers demanded around $835,923 in Bitcoin from Everis company for the questionable decryption key and file recovery. IEncrypt or BitPaymer is known ransomware that targets large businesses and demands huge amounts of money since companies are more profitable than everyday users.[5] Also, this strain is known for marking files in a particular pattern involving the name of the business or institution that was discovered in the particular Everit attack too.

Previous ransomware outbreak triggers panic

There are no confirmational statements that could determine the relationship between the two attacks and ransomware developers. However, both infections occurred on the same day. This is not a global ransomware infection or a large scale attack, but Spain has been involved in one huge case, so it sparks some panic.

When massive WannaCry ransomware attacks in 2017 affected a large part of the world, Spain was one of the first countries to suffer. At the time, Spanish newspaper El Mundo and internet provider Telefonica suffered the most.[6]

Probably because of the previous incidents when Spain was hit hard, authorities reacted immediately this time. Security advisory got released a few hours after the incidents, and the statement warned people to improve the security measures, urged victims to reach out for help from INCIBE.

Such incidents sparked rumors that the damage is made beyond Everis, and panic among people since infections impacted the businesses majorly. Many companies use Everis software, and there are many people that fear being affected by the ransomware too.

Besides particular reports, many companies opted to shut down operations and inspect their systems further. Additionally,  financial consultancy firms, software developers had to issue public notices confirming that they were not affected, and all the operations are secured.[7]