Cyber Incident Victim: MasMovil

On or around July 4, 2021, the REvil ransomware gang targeted MasMovil, one of Spain's largest telecommunications operators. The attackers infiltrated the company's systems and exfiltrated sensitive data, including databases and operational documents. REvil publicly claimed responsibility for the breach by posting a message on its Tor-based leak site, accompanied by screenshots purportedly showing stolen directories such as Backup, RESELLERS, SCORING, and PARLEM. These folders suggested access to business-critical systems containing partner information, customer scoring data, and backup repositories. The ransomware group stated, "We have downloaded databases and other important data," though MasMovil did not publicly confirm the scope of data compromise at the time of reporting. The incident coincided with REvil's simultaneous execution of a global supply-chain attack through Kaseya VSA software, which impacted over 1,000 organizations.

REvil's attack on MasMovil occurred during a period of heightened activity for the group, which had escalated its ransom demands in parallel operations. While the gang initially demanded $44,999 per infected endpoint in the Kaseya incident, it later sought a single $70 million Bitcoin payment to decrypt all affected systems in that separate campaign. No specific ransom demand for the MasMovil breach was disclosed in available reporting. The publication of folder screenshots on REvil's leak site indicated an intent to pressure the telecom provider through potential data exposure, though no explicit deadline or extortion terms were detailed for this case. The breach exposed operational and potentially customer-related data, though MasMovil's public response and mitigation actions were not documented in the immediate aftermath. The incident highlighted REvil's focus on critical infrastructure sectors during mid-2021, leveraging double-extortion tactics against high-value targets.