Two major Spanish companies have been hit by ransomware today. Both infections occurred on the same day, sparking memories of the WannaCry outbreak.
Spain was one of the first countries alongside the UK, where the WannaCry ransomware infections were spotted for the first time back on May 12, 2017. Affected at the time were Spanish newspaper El Mundo, and internet service provider Telefonica.
But today's infections are not part of a global ransomware outbreak. Only two companies have been impacted so far, at the time of writing.
The first is Everis, an IT consultancy firm owned by the NTT Data Group. The second is Cadena SER, Spain's largest radio network, which also admitted to the incident via a message on its website. An Everis spokesperson did not immediately reply to a request for comment.
Both companies have told employees to shut down computers, and have disconnected their networks from the internet.
Everis is the one that was impacted the most, as the company has more than 24,500 employees across 18 countries. Other Everis branches were also impacted, as the ransomware is believed to have spread via the company's internal network.
According to screenshots posted on social media by supposed Everis employees, the ransomware that hit the IT firm is a version of the BitPaymer ransomware that also hit French TV station M6 and German automation tools maker Pilz. [Update: Some security researchers have suggested the ransomware version could be DoppelPaymer, a ransomware strain forked from BitPaymer, but this can't be verified based on the screenshot alone. Both are valid cases due to the very close ties between BitPaymer and DoppelPaymer.]
The ransomware strain that hit Cadena SER is not yet known publicly.
Spanish authorities reacted immediately
Because Spain was one of the countries that were hit early and hard by WannaCry, the country's government organizations reacted promptly.
Spain's Department of National Security issued a security advisory within hours of the incidents, warning companies to improve cyber-security measures and urging any other victims to reach out for help to INCIBE, Spain's National Institute of Cyber-Security.
Although there is no sign of a ransomware outbreak similar to WannaCry, the two ransomware infections had a major impact on the local Spanish business scene. Many local companies use Everis software for day-to-day activities, and there were some who feared they might have been infected, opting to shut down operations to inspect systems.
Rumors also circulated online that other IT companies were impacted, beyond Everis. As a result of the wild speculation going on, the Spanish branches of financial consultancy firm KPMG and software giant Accenture both had to issue statements on Twitter earlier today to reassure customers they were not infected, and that they were operating normally.