“Maximum security measures” enabled
Spanish security firm Prosegur confirmed today that it has been hit by a ransomware attack. The company — which employs 170,000 staff globally and runs six security operations centres (SOCs) among other services — said it has been hit by the Ryuk malware and is working to contain the incident.
Update on incident of information security pic.twitter.com/yj3xocz62o
— Prosegur (@Prosegur) November 27, 2019
The attack comes less than a month after Spain’s Everis (an NTT Data subsidiary which also provides a wide range of cybersecurity services globally) was shut down by a ransomware attack; one of several to strike Spain this month, with a leading broadcaster also hit early in November.
All Prosegur services are reported to be temporarily offline. It was not immediately clear how far the ransomware had spread.
Prosegur reported revenues of over €3 billion in 2018. It is active in 25 countries with services across four key segments (see below).
According to Derecho de la Red, as reported by Bleeping Computer the malware was delivered via Emotet. The Spanish website also confirmed that the entire company network was down and employers sent home.
(Confidence in Prosegur’s services is unlikely to be bolstered by the fact that it has let an SSL certificate expire, with visitors to its website being served a security alert right above the corporate slogan “security you can trust.”)
A response to the Everis attack early in November raised concerns about the efforts Spain’s cybersecurity authorities are taking to help underpin security measures across the country’s businesses (both Prosegur and Everis, as cybersecurity service providers should not, arguably, require the help).
The country’s Department of Homeland Security said in a breezy November 4 blog post that “this type of attack occurs quite frequently. In 2016, the National Cybersecurity Institute handled some 2,100 similar incidents…
“It does not compromise data security nor is it a data leak.”
Ryuk is specifically used to target enterprise environments, Crowdstrike notes, with code comparison between versions of Ryuk and Hermes ransomware indicating that Ryuk was derived from the Hermes source code and has been under steady development since its release.
“Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD” the security firm says.
Scores of companies across Europe have been burned by ransomware attacks this year, including a leader provider of forensic services to the Metropolitan police, a Norwegian aluminium producer and a Finnish oil company.