Spanish government falls victim to Ryuk ransomware attack

The Spanish government has fallen victim to a ransomware attack on Tuesday that impacted the IT systems of the Servicio Público de Empleo Estatal (SEPE), the agency that manages and pays out government unemployment benefits.

The incident affected the agency's backend systems and public website.

SEPE staff in 710 offices across Spain had to cancel and reschedule meetings with unemployed workers after they were locked out of central systems. Fifty-two self-serving telematics systems were also down following the attack, with similar issues.

Government officials weren't forthcoming with details about the incident in the early hours of Tuesday morning. In initial media reports, SEPE management denied getting hit by ransomware and called the incident a technical issue.

Officials had to walk back claims after members of a government workers labor union —the Central Sindical Independiente y de Funcionarios (CSIF)— leaked to the press that the national SEPE outage was far more than management was letting out.

CSIF officials told local newspapers like El Pais that the outage was the result of an attack with the Ryuk ransomware on the agency's internal systems and that all the agency's systems were affected and down. Labor members also accused the agency of running outdated IT systems, which might have facilitated the attack.

SEPE director Gerado Guitérrez eventually confirmed the Ryuk ransomware attack in an audio message posted on the Twitter account of the Spanish Ministry of Labor and Social Economy.

Guitérrez said the incident did not impact the agency's ability to pay out unemployment benefits. SEPE also set up a free hotline where citizens can interact with staff and obtain information.

Multiple sources have told The Record yesterday that the incident might have taken place after the ransomware gang gained access to the agency's internal network via an unpatched networking device.

This is the third major ransomware-related incident reported in Spain. The first was the WannaCry ransomware outbreak of 2017, when Spain was among the first countries to get hit. The second nationwide ransomware attack took place in November 2019 and impacted Everis, an IT consultancy firm owned by the NTT Data Group. The second is Cadena SER, Spain's largest radio network.