{ "id": "f19d97af-9d10-4282-85ea-706dcfa30f3a", "created_at": "2026-04-06T00:22:01.317346Z", "updated_at": "2026-04-10T13:12:29.840898Z", "deleted_at": null, "sha1_hash": "0a6d4d45004639e4769fe3be8ec172b119995f88", "title": "Spanish railway infrastructure manager ADIF infected with ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52163, "plain_text": "Spanish railway infrastructure manager ADIF infected with\r\nransomware\r\nBy Pierluigi Paganini\r\nPublished: 2020-07-24 · Archived: 2026-04-05 12:34:42 UTC\r\nADIF, a Spanish state-owned railway infrastructure manager under the\r\nresponsibility of the Ministry of Development, was hit by REVil ransomware\r\noperators.\r\nAdministrador de Infraestructuras Ferroviarias (ADIF), a Spanish state-owned railway infrastructure\r\nmanager was hit by REVil ransomware operators.\r\nADIF (Administrador de Infraestructuras Ferroviarias) is charged with the management of most of Spain’s\r\nrailway infrastructure, that is the track, signaling and stations. It was formed in 2005 in response to European\r\nUnion requirements to separate the natural monopoly of infrastructure management from the competitive\r\noperations of running train services.\r\nThe company has over 13,000 employees for a revenue of around $8 Billion.\r\nThe hackers claimed to have stolen 800GB of data including correspondence and contracts.\r\nThe incident was confirmed by Spanish media and security firms, including threat intelligence company Cyble.\r\nAs proof of the attack, REVil ransomware operators have posted a sample of data files exfiltrated from the\r\ncompany. If ADIF will refuse to pay the ransom, REvil ransomware operators will leak their confidential data\r\nonline.\r\n“Simultaneously with the publication, the third attack will follow,” the reads a message posted on their leak site.\r\n“We will continue to download your data until you contact us.”\r\nAdif confirmed to IRJ that it has suffered a ransomware attack and added that its internal security services\r\nimmediately mitigated it.\r\n“The infrastructure has not been affected at any time, and the correct functioning of all its services has been\r\nguaranteed,” the company says. “Adif, aware of being the manager of a critical infrastructure such as the\r\nexploitation of the railway network, considers cybersecurity as one of the pillars of comprehensive security.”\r\n“As per Cyble Research Team, the operators may have downloaded, what seems to be the company’s confidential\r\ndata such as ADIF’s high-speed hiring committee contracts, property records, field works reports, project action\r\nplans, documents about customers, and much more.” reads the post published by Cyble.\r\nhttps://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html\r\nPage 1 of 4\n\nBelow one of the sample data leaked by the threat actors:\r\nhttps://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html\r\nPage 2 of 4\n\nThis week REVil ransomware operators also hit Telecom Argentina, one of the largest internet service providers in\r\nArgentina, infecting roughly 18,000 computers during the weekend and now are asking for a $7.5 million ransom.\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, ADIF)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nhttps://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html\r\nPage 3 of 4\n\nSource: https://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html\r\nhttps://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html" ], "report_names": [ "adif-revil-ransomware-attack.html" ], "threat_actors": [], "ts_created_at": 1775434921, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0a6d4d45004639e4769fe3be8ec172b119995f88.pdf", "text": "https://archive.orkl.eu/0a6d4d45004639e4769fe3be8ec172b119995f88.txt", "img": "https://archive.orkl.eu/0a6d4d45004639e4769fe3be8ec172b119995f88.jpg" } }