The main suspect in the cyberattack against SEPE is the Ryuk computer hijacking virus
The State Public Employment Service (SEPE) has joined this Tuesday the list of organizations and companies that have suffered the effects of a computer hijacking virus (ransomware) to ask for a ransom. And the main suspect is Ryuk, a malicious program that has targeted hundreds of public bodies in the US and has also been a headache for many Spanish municipalities and public bodies. The general director of the cybersecurity company Sophos Iberia, Ricardo Maté, has warned that attacks on public organizations similar to this one are being reported from other European countries.
Ryuk appeared in August 2018 and is run by a Russian group called Grim Spider, according to consulting firm Crowdstrike. “It’s a very well organized band,” explains Daniel Creus, senior analyst at Kaspersky Spain. “It is dedicated to what we call big game hunting, that is to say, they look for prey like big corporations or administrations ”. The fact that .ryuk files appeared in the attack almost certainly points to the aforementioned virus, according to Creus. This malicious program has been associated with previous infections by one of the most important botnets of the last decade, known as Emotet, responsible for the malicious program of the same name that has infected thousands of computers around the world. The Emotet dome was dismantled earlier this year.
“The incident suffered by the SEPE”, says Maté, “constitutes one more example that cybercriminals continue to improve their techniques, tactics and procedures to attack all types of companies and public organizations. Thus, in recent weeks and months, security breaches have been made public, such as the one suffered by Microsoft last week, which demonstrate the effectiveness of cybercriminal groups and which can affect hundreds of thousands of companies ”.
In Spain, the first to learn of Ryuk’s virulence was the Jerez City Council. In October 2019, the council suffered an attack by this virus that, as happened this Tuesday in the SEPE, forced to change computers for paper, telematic procedures for face-to-face ones and the speed of the network due to expensive patience. to face. A month later, Cadena SER (owned by the EL PAÍS publishing group) and the consulting firm Everis also suffered a similar attack. Both companies turned to the National Cybersecurity Institute (Incibe). Last October, the FBI, the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) warned of a threat of computer attacks against hospitals and healthcare providers in the United States.
What do you do in such cases? “The incident at the SEPE is very recent,” says Creus, “so the technicians will be making the call fast answer: first proceed to the isolation of all affected parts and, then, the task mitigation: Shut down systems, analyze persistence points, and start restoring healthy machines. “It is easy for a reinfection to reproduce”, warns the expert. If there is no data loss (as appears to be the case) the incident is resolved, although full resolution can take weeks. If there is data theft, the door to ransom payment opens.
“Our recommendation is to always keep the systems up to date,” Maté completes. “The fact of maintaining, and even trying to protect, versions of operating systems that are more than obsolete for years does nothing more than provide facilities to a potential attacker, no matter how much effort they put into protecting those computers.”
Gerardo Gutiérrez, director of SEPE, has assured on Cadena Ser that they are currently analyzing the information to find out “what” they are facing, although he has launched a message of “absolute tranquility”: “Confidential data is safe” . In addition, he has ensured that the incident “is not affecting the payroll system”, so that “the benefit will continue to be received without problem.” “People who have to do paperwork to solve the issue are being called by phone or postponing the appointment. A SEPE web space has been set up to report on these incidents ”, he pointed out.