Play ransomware gang compromises Spanish bank, threatens to leak files

Ransomware is creating additional work for a major Spanish bank. Globalcaja, said to have more than 300 offices in Spain and close to half a million customers, has fallen victim to the Play ransomware gang.

The gang claim to have swiped both private and personal information in the attack—including passport scans, contracts, and client / employee documents—which happened last week, but have not revealed exactly how much has been taken. The bank released a statement on June 2, which reads as follows:

Yesterday, we registered a cyber incident, consisting of a computer attack on some local computers through a type #ransomware virus.

It has not affected the transaction of the entity (neither the accounts nor the agreements of the clients have been compromised), so it can operate with total normality in electronic banking (Ruralvía), as well as in ATMs.

From the outset, in #Globalcaja we activated the security protocol created for this purpose, which led us, out of prudence, to disable some office posts, temporarily limiting the performance of some operations.

We continue to work hard to finish normalizing the situation and analyze what happened, prioritizing security at all times.

We apologize for any inconvenience caused.

According to The Record, the bank has not said whether or not a ransom will be paid to the attackers. If there is a bright side here, it’s that people’s actual accounts and transactions have not been accessed. If the bank chooses not to pay the ransom, however, everything taken may be dumped online. Considering the haul is supposed to include passport scans and more, this may still end up causing many problems for those folks in the stolen data.

The Play Ransomware group will quite happily leak data in cases where no ransom is forthcoming. Data taken from the city of Oklahoma was leaked in small amounts in March of this year, after several service shutdowns caused by Play brought the city to a standstill. Elsewhere, the gang brought the city of Antwerp to a grinding halt (do you see a pattern here?) with a similar ransomware outbreak. They’re also responsible for the H-Hotel attack which followed the classic ransomware pattern of disrupt and exfiltrate where possible.

There’s no additional information on offer from Globalcaja, so if you’re a customer or client you’ll have to keep an eye on its website and social media channels for updates in the short term. The supposed publication date for the pilfered information is the June 11, so the clock is most definitely ticking.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

https://blog.malwarebytes.com/feed/