Cyber Incident Victim: Prosegur
Date:
Nov 2019
Location:
Spain
Summary
A Spanish multinational security firm experienced a significant ransomware attack involving the Ryuk Trojan, which encrypted files and demanded Bitcoin for decryption. The incident forced the company to shut down its IT network globally, displacing employees and disrupting critical services, including alarm systems and cash handling operations, leading to customer complaints and abusive calls to resellers. The ransomware strain had previously targeted government entities and healthcare facilities, accumulating substantial cryptocurrency payments from victims. Prosegur implemented containment measures to prevent internal and external propagation while maintaining website functionality during the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 27, 2019, Spanish multinational security firm Prosegur publicly disclosed a ransomware attack via a Twitter statement, attributing the incident to the Ryuk malware strain. The attack compromised Prosegur's IT infrastructure, forcing the company to proactively shut down its entire network to contain the threat and prevent further propagation internally and externally. As a direct consequence of the network shutdown, Prosegur sent its global workforce of approximately 170,000 employees home, halting regular operations. The ransomware, known for encrypting files on infected systems, typically demanded Bitcoin payments for decryption, though Prosegur did not disclose whether any ransom was demanded or paid in this instance. The company emphasized implementing "maximum security measures" in its public communication but provided no technical specifics regarding attack vectors, initial access methods, or the scope of encrypted systems.
The incident caused immediate operational disruptions across Prosegur's service ecosystem, with customers and resellers reporting non-functional alarm systems within a day of the attack. Resellers additionally faced abusive calls from frustrated customers unable to access Prosegur's security and cash-handling services, indicating cascading secondary impacts beyond the company's direct infrastructure. Despite these disruptions, Prosegur's public-facing website remained operational during the incident. The Ryuk ransomware, active since at least 2018, had previously targeted U.S. state/local governments, hospitals, and 110 nursing homes in the months preceding the Prosegur attack. Cybersecurity analyses from 2019 indicated Ryuk operators had accumulated over 705 Bitcoin (approximately $3.7 million at the time) from victims within a five-month period, contributing to a documented 90% year-over-year increase in cryptocurrency ransomware payments across the threat landscape. No data theft or additional attacker objectives beyond encryption were reported in available sources.