Cyber Incident Victim: Telefónica
Date:
May 2017
Location:
Russia
Summary
A global ransomware attack disrupted organizations across multiple sectors, including telecommunications, healthcare, and energy. Telefonica experienced compromised equipment but maintained control over affected systems, while other Spanish firms implemented precautionary measures such as disabling computers. The incident impacted over 200,000 computers worldwide, forcing hospitals to cancel patient appointments, halting production at automotive plants, and disrupting critical infrastructure like railway displays and fuel payment systems. Ransom demands targeted locked files, particularly affecting entities using outdated software. Despite widespread infections, some organizations mitigated damage through network isolation, domestic operating systems, or pre-installed security patches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The WannaCry ransomware attack emerged globally on or around May 12, 2017, rapidly infecting over 200,000 computers across 150 countries. Among the affected organizations was Spanish telecommunications company Telefonica, which reported that infected equipment had been brought under control during the incident. The ransomware exploited vulnerabilities in Microsoft Windows systems, encrypting files and demanding payments—typically $300—to restore access. Critical infrastructure sectors faced widespread disruption: Russia’s interior ministry, railways, and banks experienced attacks on approximately 1,000 computers, though vital servers running the domestic Elbrus operating system remained unaffected. Germany’s Deutsche Bahn saw electronic departure boards compromised, though train services continued uninterrupted. In China, underfunded universities using outdated or pirated software suffered severe network disruptions, forcing students to pay ransoms to recover academic work, while petrol stations in Chongqing halted card payments after China National Petroleum Corp systems were infected.
The attack significantly impacted healthcare systems, particularly in the UK, where 48 National Health Service trusts in England and 13 Scottish NHS organizations faced operational paralysis, displaying ransomware messages like “Ooops, your files have been encrypted!” and diverting patients. Industrial operations were also disrupted: Renault halted production at multiple sites but restored 90% of factory operations swiftly, while Nissan’s Sunderland plant in the UK experienced disruptions. In Spain, Telefonica’s containment efforts contrasted with precautionary measures by Iberdrola and Gas Natural, which instructed employees to power down computers. South Korea’s CJ CGV cinema chain reported compromised advertisement servers at 50 locations, though screenings proceeded normally. Japan recorded 2,000 infected computers across 600 companies, with Hitachi noting email delays but no ransom demands. India’s Andhra Pradesh police systems were hijacked, but broader government infrastructure avoided major damage due to preemptive patching. The incident underscored global vulnerabilities in unpatched systems and the cascading effects of ransomware on critical services.