Ransomware attacked two Spanish companies: the local Internet is in panic as during the WannaCry days

Recently ransomware attacked two large Spanish companies. Both infections occurred on the same day, causing a short-term panic in the Spanish Internet segment due to memoriess of the WannaCry epidemic two years ago.

In Spain, on May 12, 2017, one of the first WannaCry ransomware viruses was discovered. Then under an attack got Spanish newspaper El Mundo and Internet service provider Telefonica.

So far, only two companies have suffered from the “fresh” ransomware.

Everis is a consulting firm owned by NTT Data Group and Cadena SER, Spain’s largest radio network.

Both companies ordered employees to disconnect computers from the Internet.

Everis has 24,500 employees in 18 countries. Other Everis affiliates have also been affected, as it is believed that the ransomware has spread through the company’s internal network.

“The network has been disconnected with clients and between offices. We will keep you updated. Please, send urgently the message directly to your teams and colleagues due to standard communication problems”, — says Everis security service notification.

According to screenshots that posted on social network alleged Everis employees, the ransomware that attacked the IT firm is a version of the BitPaymer ransomware, which also recently attacked the French television station M6 and the German automation manufacturer Pilz.

The foreclosure message, which was installed on Everis encrypted systems, warns the company against disclosing the incident, and provides contact information “to obtain the amount of the foreclosure.”

Attackers asked Everis for a ransom of 750,000 euros ($835,923) to obtain a decryption key to unlock their files.

The ransomware strain that hit Cadena SER is not yet publicly known.

“The technicians are already working for the progressive recovery of the local programming of each of their stations”, — Cadena SER informed.

Because Spain was one of the countries that early and severely suffered from WannaCry, the country’s government organizations responded quickly.

The Spanish Department of Homeland Security (Departamento de Seguridad Nacional) confirmed the attack and issued security recommendations within a few hours after the incidents, warning companies of improved cyber security and encouraging other victims to turn to INCIBE (Instituto Nacional de Ciberseguridad).

Read also: On GitHub published a detailed analysis of BlueKeep vulnerability that simplifies creation of exploits

Although there is no sign of a serious ransomware epidemic like WannaCry, these incidents have had a major impact on Spanish business today. The Spanish office of financial advisory company KPMG and software giant Accenture tweeted to convince customers that they are not infected and that they are working properly.

In light of the weekend’s massive exploitation of BlueKeep, some researchers suggest that the same vulnerability was used in today’s ransomware attacks on Spanish organizations.

Read also: Metasploit developers publish exploit for BlueKeep vulnerability

Attempts to operate BlueKeep were recorded by researcher Kevin Beaumont, and use port 3389, which is designed for remote auxiliary connections via the Remote Desktop Protocol (RDP).

Beaumont also discovered today that Everis has hundreds of servers directly connected to Internet connections, alluding to the likelihood that rumors about using BlueKeep in today’s ransomware attacks are not without reason. The same assumption explains why the internal Everis network does not work.