Ransomware is back. Well, in fact, it never went away. However, what is true that from time to time we see more aggressive campaigns with a wider impact, or attacks that are more striking or more flashy.

Update November 22
The latest public administration to be hit by ransomware is Zaragoza City Hall. On November 20, the Municipal Employment and Enterprise Development Institute, Imefez, fell victim to a cyberattack that damaged its IT networks.
The ransomware, called sodinokibi, encrypted the Imefez servers, leaving around 70 employees unable to work. The cyberattackers demanded a €30,000 ransom to decrypt the systems. The Spanish National Police have been notified, as well as the National Cryptology Center (CCN), and the National Cybersecurity Institute. The CCN has sent four technicians to Zaragoza to help resolve the incident as soon as possible.

The list of institutions affected by this kind of malware this year keeps growing. In May, the city of Baltimore was attacked with a strand of ransomware called RobbinHood; the city hall’s systems were blocked for nearly two weeks, and as of September, the effects of the attack were still being felt.

This attack could be seen as the start of a wave of targeted ransomware attacks on public administrations all over the world. This wave of attacks has already affected dozens of governmental institutions, mainly in the US and Europe. In July, the city of New Bedford in the US was hit by a ransomware attack that demanded a $5.3 million ransom, while in October, several US and Australian hospitals were hit by the same strain of ransomware.

Impact in Spain

In Spain, the attacks hit in the middle of September. Since then, several city halls and institutions have been affected by ransomware attacks.

The first signs were seen in the Basque Country, where there were at least four reports of alleged cybersecurity crimes. Warnings were sent out about a massive campaign of emails containing attachments with malware. However, several government entities had already been hit.

This attack campaign has led the Basque Cybersecurity Centre (BCSC) to activate an action protocol. The organization is coordinating a work group to stop to the campaign. Javier Diéguez, director of the BCSC stated that, “this kind of situation isn’t unheard of, and it isn’t a country-wide crisis. What is true is that, unlike other times, some of the affected entities have shared news about the attacks.” The BCSC has explained on its website that the ransomware is getting into these institutions via the botnet Emotet.

Jerez Municipal Government

On October 4, the Municipal Government of Jerez announced that it had been attacked by a piece of ransomware called Ryuk, one of the strains delivered by Emotet. This crypto-malware encrypted the files stored on over 50 servers, forcing municipal government employees to carry out their work by hand. Sources have confirmed that no data has been leaked, and that the ransom demanded by the attackers hasn’t been paid.

Mamen Sánchez, mayor of Jerez, has explained that the institution was attacked “via email”. She also noted that the strand of Ryuk used in the attack was created on September 27, and as such, the antivirus system used by the municipality was not able to recognize or stop the ransomware.

When the attack was discovered, the municipality asked the Ministry of the Interior for help, which sent three experts to the city to assist the city hall’s IT team. The city hall has also contacted other institutions that have suffered similar incidents. “There are many cities that have been affected; the best thing is to speak with them to find out how they resolved the situation,” said Sánchez.

What to do to protect against ransomware

As we mention above, one of the reasons that the attack against Jerez Municipal Government was successful was the fact that its antivirus system was unable to detect a new strand of ransomware. This highlights the importance of advanced, adaptive and intelligent cybersecurity. Traditional signature-based solutions are efficient when it comes to discovering known malware. However, many attacks use new malware or variants of known malware that are not recognized by these solutions. What’s more, Living-off-the-Land techniques are increasingly popular. These attacks don’t use malware of any kind, and so cannot be detected by these solutions.

Panda Adaptive Defense isn’t based on signatures, but on zero-trust of all activity on all devices. To do this, it proactively monitors all activity on the IT network and creates behavior profiles, classifying absolutely all activity in the environment. If it detects any suspicious activity or process, even if it doesn’t have a seemingly suspicious profile, it blocks it and analyzes it. What’s more, it has anti-exploit technology that is able to detect malicious scripts and macros.

Another vital measure is protection for email. Panda Email Protection proactively provides multilayer protection against all kinds of malware and spam for your company’s email in real time, thanks to online scans that are carried out in the Panda Security servers. This advanced scanning technology is carried out from the cloud, simplifying security management, since it can be used from anywhere, at any time, simply by accessing the web console. It also has integrated Cyren technology, with antispam, , pattern-based virus detection and reputation lists, which allow it to provide maximum protection.

Thanks to Adaptive Defense’s advanced technologies, none of our customers have been affected by this wave of attacks. Our protection has proven to be the most efficient against this situation.

Once again, Panda Security’s contextual logic-based security model, has been able to stop the attack. This model is generated with machine learning techniques that reveal malicious behavioral patters and create advanced cyberdefense actions for known and unknown threats. Along with its capacity to register and classify absolutely every running process on the endpoint, this offers us a highly detailed vision of everything that happens in the IT system.