Play ransomware gang says it's behind attack on major Spanish bank

Globalcaja, one of Spain’s largest banking institutions, has fallen victim to a ransomware attack said to have been orchestrated by the Play ransomware group. 

The ransomware gang listed the bank as one of its latest victims on its leak site and claims to have gained access to both private and personal data, as well as client and employee documents. 

Passport information and confidential contracts were also noted among the list of data seized during the incident. 

Globacaja confirmed the attack in a statement on June 2nd, but insisted that it had not affected customer or client accounts. 

The bank added that it "activated security” protocols designed to mitigate the impact of a potential breach.

“From the very beginning, at Globalcaja we activated the security protocols created for this purpose, which led us to disable some office posts and temporarily limit the performance of some operations,” the company said. 

“We continue to work hard to finish normalizing the situation and are analyzing what happened, prioritizing security at all times.”

Globalcaja serves more than half a million customers across Spain and employs over 1,000 staff. At present, it is unclear whether Globalcaja has engaged with the group or paid ransom demands.

Martin Mackay, CRO at Versa Networks said the attack aligns with a long-standing trend of ransomware groups targeting financial institutions due to the volume of critical data they hold and process. 

“Whilst it’s unknown if Globalcaja has paid Play’s ransom demands, the most important thing in this situation is to not give in to any demands. Paying the ransom is no guarantee that stolen data will be returned or not leaked, and it only fuels further cybercriminal activity,” he said. 

“The finance sector is an attractive target for ransomware attacks because of the sheer volume of data and critical services managed by financial institutions. Targeting client information and threatening to leak data can not only result in financial damage, but also jeopardize the values and the reputation of the bank.”

Recurring attacks by Play ransomware

This marks the latest in a string of high-profile attacks conducted by the Play ransomware group, which rose to prominence in mid-2022. 

The group has previously claimed responsibility for a highly disruptive attack against Rackspace earlier this year that led to the exposure of sensitive data including passport information, confidential contracts, and student IDs. 

Play was also the group behind ransomware attacks on the German hotel chain, H-Hotels, and the State of New York (SUNY) Polytechnic college last year. 

The group has traditionally targeted organizations across Latin America, according to analysis from Avertium. However, it also has a track record of deploying attacks on companies operating in India, Hungary, the Netherlands, and Spain.