Globalcaja confirms ransomware attack

Play gang claims responsibility

A prominent Spanish bank has confirmed that it is dealing with a ransomware attack that has impacted multiple branches.

On Friday, Globalcaja issued a statement assuring customers that the incident has not impacted its entities' operations, and that electronic banking and ATM services are still functioning.

The bank has enacted security protocols - for example, certain office workstations have been disabled and some operations temporarily restricted.

"We continue to work hard to finish normalising the situation and are analysing what happened, prioritising security at all times," the bank said.

"We apologise for any inconvenience caused."

The bank did not say whether it had paid a ransom to the attackers.

Globalcaja, headquartered in Albacete, Spain, boasts a network of over 300 offices spread across the country.

Catering to nearly half a million customers, the bank provides a wide range of services. It manages a substantial portfolio of consumer loans, totalling over $4.6 billion, and employs approximately 1,000 people.

Play gang names Globalcaja as target

Recently, the Play ransomware gang included the bank in its list of victims on a Tor leak site. The gang asserted that it had successfully obtained sensitive and confidential information, including private client and employee data, documents, passports, contracts and other related materials.

The gang threatened to proceed with publishing the stolen data unless the bank complies with its ransom demands.

The Play gang initially surfaced in July 2022, focusing on government entities in Latin America. Its most notable recent attack targeted the City of Oakland, resulting in significant damage and a lengthy recovery process.

Ransomware groups have frequently targeted Spanish institutions in recent years.

In August last year, cybersecurity firm Zscaler published a report indicating that organisations in Spanish-speaking countries such as Mexico and Spain were specifically targeted by a campaign aimed at distributing the Grandoreiro banking trojan.

Earlier this year a ransomware attack severely impacted a hospital in Barcelona, disrupting its operations.

Another ransomware attack targeted a Spanish amusement park company.

According to Martin Mackay, CRO at Versa Networks, the finance sector is an attractive target for ransomware attacks "because of the sheer volume of data and critical services managed by financial institutions.

"Targeting client information and threatening to leak data can not only result in financial damage, but also jeopardise the values and the reputation of the bank," says Mackay.

"Whilst it's unknown if Globalcaja has paid Play's ransom demands, the most important thing in this situation is to not give in to any demands. Paying the ransom is no guarantee that stolen data will be returned or not leaked, and it only fuels further cybercriminal activity.

"The one positive note is that Globalcaja had security protocols in place. Banking organisations that haven't implemented security protocols should look into controls such as network segmentation, which limit malware movement and minimises the impact of breaches. Furthermore, maintaining complete visibility across the entire network can make a huge difference in quickly identifying and dealing with cyber threats."