Prosegur shuts down their IT network after Ryuk ransomware attack

Spanish security company forced to go offline after an incident that involves Emotet and Ryuk viruses

Ryuk ransomware affected Prosegur communications and forced the company to go offline. Prosegur released a statement^[1] about the attack that forced the company to shut down services and take security measures into their hands.^[2] Twitter post issued on November 27th informed customers that the company activated security protocols due to the undisclosed security incident, and all the communications got restricted to avoid malware spreading further.

The website got offline on Wednesday morning, and a few hours later from the initial post, another Twitter statement determined that Ryuk ransomware^[3] caused all the issues:

Prosegur reports that the incident detected today corresponds to a generic attack, caused by the Ryuk ransomware. The company has enabled maximum security measures to prevent the spread both internally and externally of the virus.

At first, it was not reported what malware or even what type of the virus got into the system, but after the confirmation from Prosegur, local media reported that Ryuk ransomware got delivered with the help of Emotet trojan.^[4] Once the virus attack was detected, the IT network got shut down, and employees were sent home.

The company states that no data got compromised

The first report about the incident was released at 5 am GMT when employees got sent home, and the network went offline. An hour after that, Prosegur confirmed the situation with a tweet, and 12 hours later stated that Ryuk is the one for blame. Many customers online and sources question the timing and firms' delayed responses, but the company has released multiple updates on the situation via Twitter.

The security firm is a global company that employs 170,000 members of staff and runs six operation centers among various services. The company is active in 25 countries, and the reported revenue of Prosegur goes over 3 billion euro in 2018. Prosegur ensures that malware was terminated, and all the necessary mitigatory controls got deployed, so services should be fully restored in a few days. Details on ransom demands and other specific details about the attack were not released, but it is believed that the ransom was not paid.

The investigation is still ongoing, and more details should be revealed later on. Prosegur says that particular typology of the attack, behavior, response plan and other details will become public after the investigation. Updates from the company also noted that Ryuk ransomware had affected other organizations in Spain in the last few months.^[5]

Ryuk ransomware specifically used to target enterprise environments

Ryuk ransomware is known for a while now, and developers of the threat have already made millions of dollars from the ransom payments alone because this threat targets large companies in various industries because the more significant the target, the bigger the ransom demand can be.

This virus demands at least 15 Bitcoins from one victim, and the demand can go up to 50 BTC that is estimated to be equivalent to $400,000 at the time of writing. The U.S Department of Health and Human Services warned that Ryuk actively targets healthcare organizations back in August.^[6]

Analysis of the behavior and malicious code comparisons show that Ryuk or a version of Hermes ransomware that has been on sale in various dark web forums and used by various threat actors. At least 52 ransom payment transactions got observed, so the current value of the ransomware is at least $3,7 million.