{
	"id": "5e75be9c-0623-45c1-9fb4-0fc39ce17f0a",
	"created_at": "2026-04-06T00:18:21.639986Z",
	"updated_at": "2026-04-10T03:21:33.197841Z",
	"deleted_at": null,
	"sha1_hash": "63154a94bc66a5d92727b4c2a85c7f90c2eaa71b",
	"title": "Ransomware Attacks Hit Everis and Spain's Largest Radio Network",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 896093,
	"plain_text": "Ransomware Attacks Hit Everis and Spain's Largest Radio Network\r\nBy Sergiu Gatlan\r\nPublished: 2019-11-04 · Archived: 2026-04-05 14:00:47 UTC\r\nEveris, an NTT DATA company and one of Spain's largest managed service providers (MSP), had its computer systems\r\nencrypted today in a ransomware attack, just as it happened to Spain's largest radio station Cadena SER (Sociedad Española\r\nde Radiodifusión).\r\nWhile the ransomware attacks were not yet publicly acknowledged by the company, the ransom note left on Everis'\r\nencrypted computers has already leaked and BleepingComputer can confirm that the MSP's data was infected using the\r\nBitPaymer ransomware.\r\nBitPaymer used in MSP attack\r\nAfter the attack began, Everis sent an internal notification saying that they \"are suffering a massive virus attack on the\r\nEveris network. Please keep the PCs off.\"\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attacks-hit-everis-and-spains-largest-radio-network/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/ransomware-attacks-hit-everis-and-spains-largest-radio-network/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"The network has been disconnected with clients and between offices. We will keep you updated. Please, send urgently the\r\nmessage directly to your teams and colleagues due to standard communication problems,\" Everis added.\r\nThe ransomware encrypted files on the company's systems using the .3v3r1s extension, further exposing the targeted nature\r\nof this attack against the MSP.\r\nThe ransom note that got planted on Everis' encrypted systems warns the company against disclosing the incident while also\r\nproviding it with contact details \"to get the ransom amount.\"  The email contacts listed in the ransom note\r\nare sydney.wiley@protonmail.com and evangelina.mathews@tutanota.com, but these change per targeted attack.\r\nThe attackers asked Everis for a €750,000 ($835,923) ransom to get a decryption key to unlock their files as reported by\r\nbitcoin.es.\r\nUnknown ransomware encrypts radio's systems\r\nEveris was not alone in getting hit by a ransomware attack today as Cadena SER, the largest radio station network in Spain,\r\nwas also hit by an unknown ransomware.\r\n\"The SER chain has suffered this morning an attack of computer virus of the ransomware type, file encrypter, which has had\r\na serious and widespread affectation of all its computer systems,\" Cadena SER says in a notification published today.\r\nFollowing the attack that used an unknown ransomware strain, the radio station had to disconnect all of its computers from\r\nthe Internet and it is currently continuing activity with the help of equipment at its Madrid headquarters.\r\n\"The technicians are already working for the progressive recovery of the local programming of each of their stations,\"\r\nCadena SER adds.\r\nSpain's Department of Homeland Security (Departamento de Seguridad Nacional) also confirmed the ransomware attack\r\nthat impacted Cadena SER as did Spain's INCIBE (Instituto Nacional de Ciberseguridad).\r\nINCIBE is currently helping the radio station to restore their encrypted data and get their systems back online.\r\nPossible MSP downstream attacks\r\nA tactic more commonly being used by ransomware attackers is to target MSPs and use their management software to push\r\nthe ransomware down to the MSPs' clients.\r\nWhile it is not known if these are unrelated cyberattacks, cybersecurity consultant Arnau Estebanell Castellví implied that\r\nEveris may have been the source. According to a tweet by Castellví, Orange cut off Everis' access to the network in order to\r\nprevent the ransomware attack from affecting them.\r\nBleepingComputer has not been able to independently corroborate this statement.\r\nBlueKeep potentially exploited in the attacks\r\nBleepingComputer has learned from a source close to one of the attacks who wishes to remain anonymous that the\r\nBlueKeep vulnerability is reportedly involved in these attacks.\r\nFurthermore, in light of the BlueKeep mass exploitation discovered over the weekend, some say [1, 2] that this vulnerability\r\nwas leveraged in today's ransomware attacks against Spanish organizations but there is no clear evidence to support this\r\ntheory.\r\nThe BlueKeep exploitation attempts have been recorded by security expert Kevin Beaumont's honeypots that expose only\r\nthe 3389 port used for remote assistance connections via the Remote Desktop Protocol (RDP).\r\nBeaumont also found today that Everis has hundreds of servers directly exposed to Internet connections, something that\r\nhints at the possibility of the rumors of BlueKeep exploitation in today's ransomware attacks being true. \r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attacks-hit-everis-and-spains-largest-radio-network/\r\nPage 3 of 4\n\nOh boy, these guys appear to have hundreds of RDP servers directly on the internet HT @binaryedgeio data\r\npic.twitter.com/d7wGjP4J6S\r\n— Kevin Beaumont (@GossiTheDog) November 4, 2019\r\nCastellví told BleepingComputer that, while \"nothing is confirmed right now\", Everis' internal network being down could be\r\nexplained through exploiting BlueKeep or the other two RDP vulnerabilities patched some time ago.\r\n\"I think the initial vector might be email. That is what the Spanish National Security Center has said,\" he added. \"But after\r\npatient 0, I also think it is RDP-based. If not, there is no explanation of why the internal network of Everis is down.\"\r\nWhether BlueKeep was actually involved is not yet clear at this point.\r\nBleeping Computer asked CERT Spain, Everis, and SER for more details but did not hear back at the time of publication.\r\nUpdate November 04, 13:07 EST: Added comments from cybersecurity consultant Arnau Estebanell Castellví.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-attacks-hit-everis-and-spains-largest-radio-network/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attacks-hit-everis-and-spains-largest-radio-network/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ransomware-attacks-hit-everis-and-spains-largest-radio-network/"
	],
	"report_names": [
		"ransomware-attacks-hit-everis-and-spains-largest-radio-network"
	],
	"threat_actors": [],
	"ts_created_at": 1775434701,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63154a94bc66a5d92727b4c2a85c7f90c2eaa71b.pdf",
		"text": "https://archive.orkl.eu/63154a94bc66a5d92727b4c2a85c7f90c2eaa71b.txt",
		"img": "https://archive.orkl.eu/63154a94bc66a5d92727b4c2a85c7f90c2eaa71b.jpg"
	}
}