What do we know about the Spanish Public Employment Service?
The alarm went off on Tuesday with the news of a cyber-attack on the Spanish Public Employment Service (SEPE) that paralyzed its activity. The shutdown continues today, Wednesday.
What kind of attack is it?
According to the CSIF release, it is a ransomware attack (extortion malware) and the latest news suggests it could be the offspring of an old friend: Ryuk.
This ransomware was first identified in 2018 but has been updated since then. You might remember it from (2019) attacks on Spanish companies such as Prosegur, Everis, and La Ser.
This ransomware moves laterally through devices connected by a LAN. The modus operandi of this malware consists on:
The malicious code infects a computer in the system.
It spreads and activates itself: it begins encrypting all files on the system.
Once the computers have been rendered unusable, it demands a ransom in exchange for allowing the victim to return to work.
If you want to know more about Ryuk functioning check the Panda Report.
What was the scope of the attack?
General Director has assured that no data theft has taken place. It has only affected the shared files, and not the computer system, nor the benefits management system. But it will cause a delay in the management of appointments.
The government assures that they have not been asked for a ransom, as is usual with ransomware attacks.
How did it happen?
The Ministry of Labour is investigating the origin of the cybersecurity breach at the SEPE. This kind of malware can have many gateways: from the best known, the email, to the operating system, the remote connection, or even weak passwords of the users of the internal network. Any vulnerability can be exploited.
How can we protect ourselves from this type of attack?
There is no absolute formula to avoid them, but there are small actions we can take to make things more difficult for criminals.
Keep our equipment up to date
Search for and patch vulnerabilities in our system.
Protect and monitor endpoints
Make backup copies outside the reach of the network.