Cyber Incident Victim: Everis
Date:
Nov 2019
Location:
Spain
Summary
A ransomware attack targeted a major Spanish IT services subsidiary of a global communications firm and a radio broadcaster, causing widespread network shutdowns and operational disruptions. The incident prompted precautionary disconnections by other organizations, including an airport operator, due to the IT firm's on-site presence at multiple corporations. Security researchers identified the malware as a BitPaymer variant associated with the Dridex group, previously linked to supply chain attacks. Emergency protocols led to complete system isolation at affected entities, with technical recovery efforts coordinated through national cybersecurity authorities. The attack induced significant operational chaos, described by one technician as triggering "hysteria mode" within compromised networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 4, 2019, a targeted ransomware attack disrupted operations at multiple Spanish companies, with IT services firm Everis and radio broadcaster Cadena SER (Sociedad Española de Radiodifusión) among the confirmed victims. The attack forced both organizations to shut down their networks, causing significant operational interruptions. Everis, a subsidiary of Japan-based NTT with extensive on-site presence at Spanish corporations, saw its incident trigger precautionary responses from other entities, including Spanish airport operator Aena, which temporarily disabled some services. A technician at an affected company described the environment as "hysteria mode," reflecting the severity of the disruption. Security researchers, including Vitali Kremez, identified the ransomware as a variant of BitPaymer associated with the Dridex malware group. A ransom note screenshot shared by Spanish cryptocurrency outlet Bitcoin.es displayed characteristics consistent with BitPaymer campaigns. This malware family had previously been deployed through Dridex in July 2019 against a supply chain provider, and a separate October 22, 2019, attack had targeted billing service provider Billtrust, highlighting a pattern of assaults on service-oriented businesses.
Spain’s Department of National Security (DSN) acknowledged the attack on Cadena SER, noting the broadcaster followed established cyber incident protocols by disconnecting all operational computer systems. The radio network maintained limited functionality from its Madrid headquarters while technicians at local stations collaborated with Spain’s National Institute of Cybersecurity (INCIBE) to restore services. Though no additional companies publicly confirmed infections, the incident’s ripple effects extended beyond the primary targets due to Everis’s role as an IT services provider embedded within client infrastructures. The DSN provided no further technical specifics about the attack vector or scope. Operational impacts included halted internal systems at Cadena SER and Everis, while defensive measures by third parties like Aena demonstrated the perceived contagion risk from compromised service providers. Restoration efforts remained ongoing at the time of reporting, with no disclosure of ransom demands or data exfiltration claims.