This is Ryuk, the ransomware that has knocked out SEPE (and that knocked out many others before)
The State Public Employment Service (SEPE) has suffered a cyber attack what has left him lying down. From this body they have wanted to make clear what personal data, payroll and unemployment benefits or ERTES They have not been affected, but many other services have.
The cause of the problem has been Ryuk, a ransomware that has been wreaking havoc for years and that now it has blocked data and SEPE equipment. Below we explain how this cyberattack works and what can be done to avoid it or, at least, minimize its impact.
SEPE, latest victim of a ransomware attack
The Independent Trade Union and Civil Service Center (ITUC-F) indicated in a statement how this attack “has paralyzed the activity of the SEPE throughout the country, both in the 710 offices that provide face-to-face service, and in the 52 telematics “.
The problem, they add, “has affected both the computers at the workstations and the laptops of the staff who are teleworking”, something that has caused “the delay in the management of hundreds of thousands of appointments throughout Spain, which will add to the workload of subsequent days. “
The situation is therefore serious, especially considering that the activity of the SEPE has skyrocketed as a result of the pandemic and its impact on unemployment.
Internal sources indicate what it is not known when employees will be able to use the affected computer equipment again, including landlines. To notify employees they had to use public address systems, and with data and equipment blocked, it remains to be seen when normality will be restored.
The SEPE official website, which after the attack was inaccessible, has become available again, although in a version very limited in functions. In fact, what they have done is rescue a copy kept by the Internet Archive, as some users they have pointed on Twitter— in fact, and that above all shows a warning stating that work is being done to mitigate the impact of the attack on SEP systems.
There they also point out that this situation does not affect the rights of applicants for benefits, and “in the same way, it is not necessary to renew the job application. It will be renewed automatically or it can be renewed once the service is restored without loss of rights.”
The Ministry of Labor has indicated that any interested party may request more information about this incident at the free service phone 060.
Curiously in this cyber attack on the SEPE no ransom appears to have been requested. The director of the organization, Gerardo Gutiérrez, explained in the program ‘Hora 14’ of Cadena Ser that the payment of that ransom had not been requested, something very strange in these circumstances.
He has also indicated that experts from the ministry They are working with the National Cryptological Center (CCN) to regain control of the systems. “Confidential data is safe from attack,” he said, and benefits may continue to be paid as normal.
Ryuk, a ruthless ransomware
Ryuk first appeared in 2018. Although it was suspected of originating from a North Korean hacker group, further evidence seems to indicate that Russian cybercriminals were responsible for its creation and management.
As with other types of ransomware attack, Ryuk’s goal is to infiltrate systems to encrypt your data and thus make it inaccessible. To unblock them they ask for a ransom (in English, ‘ransom’) that must normally be paid in cryptocurrencies, which makes that payment more difficult to track.
Otherwise, the systems are locked indefinitely, and if the group responsible for the cyberattack has managed to steal data in addition to infecting and blocking the systems, there is an additional risk: to filter the stolen data so that it is exposed.
As we explained in the past, Ryuk is suspected of being run by a criminal group called Wizard Spider who has a task force called Grim Spider.
Attacks with Ryuk usually target large organizations and companies. The cybersecurity experts at CrowdStrike they explained as the process begins with a targeted attack —They don’t go for just anyone— normally via email. A message is sent with a malware like the famous one TrikBot, which has modules that allow studying the network infrastructure once the victim falls into the deception to spread by taking advantage of various vulnerabilities in the Windows systems it attacks.
The ultimate goal is to encrypt the files of the computers that are attacked, except in the case of extensions such as .exe, .dll (but it does encrypt .sys or .ocx). What is achieved by not encrypting those files is ensure that the system can continue to function in a basic way in many cases.
In fact the most recent versions of Ryuk do not encrypt folders with names like Windows, Chrome, Mozilla, Microsoft or Recycle.bin, and in its latest version They have adopted certain characteristics of Internet “worms”, being able to spread autonomously through the so-called Remote Procedure Calls (RPC) of Windows. Until can reach shutdown computers via WoL commands (Wake on LAN) to infect them once they turn on.
In addition to this, explain the experts of Panda Security, Ryuk tries to stay as long as possible by creating executables and launching them silently. The whole process ends up encrypting the rest of the files on these systems, often changing file extensions (for example, from a .DOCX document to a .RYK file). The authors of the cyberattack can also leave a text file called “RyukReadme.txt” in which they are informed of the ransom conditions and how to obtain the decryption key.
How to protect yourself from an attack like this: backups
Although in October 2020 Microsoft and several cybersecurity companies delivered a major hit to the TrikBot botnet and Ryuk, it is clear that did not completely eliminate the threat.
Avoid a cyberattack of these characteristics it is very complicated, and requires a significant proactive effort in terms of cybersecurity. The recognition of suspicious activity (for example, through analysis of network traffic and also of the system logs) and the action in these cases is usually complicated, and more so in the field of large companies and organizations that usually have a very complex infrastructure in which old systems are mixed with new ones.
To try to stop these problems we must keep our team updated, something that minimizes the risk of exploiting vulnerabilities that are present in old versions of certain components and applications of our system.
One of the keys to being able to emerge (at least partially) unscathed from an attack of these characteristics is perform frequent backups or backups of systems. Doing so allows that in case our equipment is blocked we can recover it with the last backup made.
Those copies must also be out of reach of the network to which the employees of that company connect: it is a good idea use for example external hard drives that we will only connect to the computer when those backups are made.