Cyber Incident Victim: SEPE
Date:
Mar 2021
Location:
Spain
Summary
Spain's public employment system (SEPE) experienced a significant cyberattack involving Ryuk ransomware, which encrypted files and disrupted its computer systems, rendering the website inoperable. The attack forced the agency to suspend services while working to restore operations, with the origin remaining unidentified during initial response efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On March 9, 2021, Spain’s Public Employment Service (SEPE) experienced a significant cyberattack that disrupted its online services and internal systems. The attack rendered SEPE’s website inoperable, preventing public access to employment resources and administrative functions. SEPE employees discovered suspicious files labeled ‘Ryuk’ on compromised systems, indicating a potential ransomware infection. Ryuk ransomware typically encrypts victim files to block access until a ransom is paid, though no explicit ransom demand or payment instructions were disclosed in initial reports. The Spanish Ministry of Labor confirmed the incident but stated the attack’s origin remained undetermined at the time of discovery. Technical teams worked urgently to restore services, prioritizing system recovery amid widespread operational paralysis. The disruption affected SEPE’s internal and external networks, mirroring tactics observed in contemporaneous attacks on French hospitals. No patient or citizen data breaches were explicitly reported, but the encryption of files hindered routine operations and public service delivery.
The Ministry of Labor spearheaded the response, coordinating with SEPE’s IT personnel to investigate the intrusion and mitigate damage. SEPE employees played a critical role in identifying the Ryuk-associated files, enabling incident responders to focus remediation efforts. Service restoration timelines were not publicly specified, but the attack caused prolonged downtime, impacting unemployment services and administrative workflows nationwide. No attribution to specific threat actors or groups was confirmed, and Labor Ministry sources maintained the attack’s origin was under active investigation. The incident highlighted vulnerabilities in public sector infrastructure, compounding operational challenges during a period of heightened unemployment due to the COVID-19 pandemic. Recovery efforts centered on decrypting files or restoring systems from backups, though technical specifics were not disclosed. SEPE’s reliance on functional networks for employment services exacerbated the attack’s societal impact, leaving citizens unable to access critical resources during the outage.