Spain’s largest radio network Cadena SER (Sociedad Española de Radiodifusión), has been hit by a ransomware attack and the hackers behind it are demanding a €750,000 ($827,000) worth of BTC to decrypt its systems.
According to Bleeping Computer the problem may be related to Everis, a popular IT company and one of Spain’s largest managed service providers, which was also hit with the ransomware attack.
The ransomware strain to hit SER isn’t known, but it’s believed Everis was hit with the BitPaymer ransomware. The firm sent a notification to its employees notifying them it’s “suffering a massive virus attack,” and asking them to turn their computers off.
The ransom note sent to Everis warns them against disclosing the contacts of the attackers, which reportedly change form note to note. Cadena SER’s radio is believed to have been affected because it’s a client of Everis.
Telecom provider Orange cut off Everis’ access to their network, in order to prevent the ransomware attack from infecting them, according to cybersecurity consultant Arnay Estebanell Castellví.
In a note, Cadena SER confirmed the attack writing:
The SER chain has suffered this morning an attack of computer virus of the ransomware type, file encrypter, which has had a serious and widespread affectation of all its computer systems.
Following the attack Spain’s Department of Homeland Security (Departamento de Seguridad Nacional) revealed it was aware of attack on Spain’s largest radio network. INCIBE, the country’s national cybersecurity institute, has revealed it’s helping it restore its systems.
The BlueKeep vulnerability, which is reportedly present in all unpatched Windows NT-based versions of Microsoft’s operating system, is believed to have been used to infect the service provider’s systems.
The attack apparently occurred after one of Everis’ employees clicked on a link in a fraudulent email, that asked him to sign a petition:
Castellví added that Everis employees revealed that when they were implementing a patch to fix the its vulnerabilities their screens turned black “because of an antivirus rule.” At press time, the attack appears to be ongoing as security researchers haven’t yet managed to decrypt the affected machines.