Spain’s Labor Office Hit by Massive Ransomware Attack As Unemployment Hits Four-Year High

The victims of this latest ransomware attack are among the most vulnerable in society — those who have lost their jobs or whose jobs have been furloughed.

Spain’s employment service (SEPE) was hit by a ransomware attack last Tuesday that paralysed all of its online processes. The attack forced the suspension of virtually all activities at the organisation’s 700+ offices, including telephone assistance. Employees were ordered to turn off their computers and revert to using pen and paper. For the last five working days they have been unable to process any request for personal information or manage new registrations of dismissed workers, job seekers or requests for benefits. Things are only just beginning to return to some semblance of normality today. 

The Ryuk ransomware virus used in the attack is famed for targeting large, public-entity Microsoft Windows cybersystems. It encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. According to El País, the Ryuk strain used to target SEPE is more virulent than former strains. It can even infect computers that are switched off.  

Prior victims of Ryuk attacks include US newspapers such as the LA Times and hospitals and schools in the US, Germany and the UK. In this case the victims are among the most vulnerable in society — those who have lost their jobs or whose jobs have been temporarily suspended. In Spain, home to the highest unemployment rate in the Euro Area, they are legion. In total, 2.73 million people depend on SEPE for funds, including my wife who is currently furloughed. 

Stretched to Breaking Point

SEPE is responsible for processing unemployment and furlough claims and payments. Long before last week’s attack, it had already been stretched to breaking point by the sheer number of applications for furlough payments in the early months of the virus crisis. At the height of last year’s lockdown some 4.5 million people were on furlough or receiving self-employed assistance. That number steadily declined as many returned to their jobs, reaching just under a million in February.

But the dole queue has grown steadily, reaching a four-year high of 4.08 million in February. That’s the equivalent of 16.1% of the working population. It’s more than a million less than the historic peak registered in 2013, when the unemployment rate hit 26%. But almost a million people are currently furloughed and don’t count as “unemployed.” Many of their jobs will end up being destroyed.

The outlook is particularly bleak for Spain’s youth, who already bore the brunt of the last crisis. Many of the best and brightest have since left the country for greener pastures. Yet despite suffering one of the worst brain drains in Europe, the official jobless rate for those under 25 still remains above 40% — the highest level in Europe. The 30-39 age group also lost ground during the post-crisis years. Many of the young Spaniards that do have work aren’t earning enough money or don’t have enough job security to rent an apartment. This may partly explain why Spain has become a squatter’s paradise.

Another Jobs Crisis Beckons

Unemployment in Spain is almost certain to continue rising this year as many furloughed workers join the dole queue. According to the Bank of Spain, the unemployment rate could even cross the 20% threshold again. If so, it would be the fourth time it has happened since 1984. 

Spain’s jobs market has been a sorry mess for a long time for a number of reasons, including:

  • Its huge informal sector. Spain, like Greece and Italy, is home to a vast submerged economy. Hundreds of thousands of workers have no contracts and pay no taxes or social security. As such, the number of unemployed — while still painfully high — is almost certainly smaller than official figures suggest.
  • The acute seasonality of its biggest jobs generator, tourism. After the decline of the construction sector during the housing crisis (2008-12), the tourism industry took its place as the biggest employment generator. It is now in the midst of its own crisis. But even before the pandemic, workers in the sector earned a miserly median wage of just €14,000 — 48% less than their counterparts in the construction industry before the housing crisis. And most of the work is more precarious due to the seasonal nature of tourism. 
  • Bipolar nature of Spain’s labor contracts. Employment contracts for permanent jobs in Spain are exceptionally rigid and generous when it comes to redundancies. For contracts signed before 2012 workers receive up to 45 days’ severance pay for each year worked. This makes it prohibitively costly for companies to lay off workers. To gain some degree of hiring flexibility and reduce fixed costs, companies often use temporary contracts. Many abuse them. The inevitable result is a two-track labor market that encourages employers to create precarious, short-term jobs and discourages them from hiring young people as permanent employees. At the end of last year, a quarter of all jobs in Spain had temporary contracts. In the public sector, the ratio reached 29%. 

As Spain’s jobs crisis has deteriorated in the pandemic’s wake, SEPE has been pushed to the limit. At the start of the lockdown, the organization had to shift many of its processes online, but it has struggled to cope with the sheer volume of applications. Unions complained that the organization was understaffed. By late summer many new unemployment claimants were having to wait months before receiving their first check. This trend is likely to get even worse after the Ryuk ransomware attack. 

An Easy Target

SEPE’s director, Gerardo Gutiérrez, has called for “calm” and assured the public that servers, personal data and the programs used to manage benefits have not been affected, and that payments would continue as normal. The same cannot be said for new applications, which will now take even longer to process. On Tuesday, a whole week after the attack, the system is only just beginning to come back on line. We’ll probably never know how much the government paid the hackers to end the siege. 

One thing that is clear is that SEPE was an easy target due to its archaic IT infrastructure and system. Even before last year’s lockdown unions were demanding more investment to update equipment, which is on average 30 years old. Many SEPE officials have been working from home, sometimes on their own PCs, which makes the system an even easier target for hackers. 

Some Spanish government institutions are better equipped when it comes to IT security, including the Tax Office and the Ministry of Defense. Others, such as the public health and education system are, like SEPE, using equipment, programs and systems that belong to a bygone age.

But it’s not just under-funded, poorly organized government bodies that are falling victim to cyber attacks. Many of the world’s biggest, most sophisticated companies have become targets. In 2018, a group of hackers pulled off a $20 million virtual bank heist by targeting Mexico’s inter-bank payments system (SPEI). Last April, the Financial Stability Board (FSB) warned that “a major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.”

As more and more of our activities have shifted online, it is becoming increasingly clear that no one — not even tech giants like Google and Microsoft — can offer complete protection of the data they store. As we grow more and more dependent on the Internet for just about everything, our data has never been more fragile.  

This is great news for hackers, whose ranks are burgeoning as more and more criminals get with the times and move online. But it’s bad news for the general public, especially given the haste with which governments and companies are trying to roll out digital vaccine passports that could end up including our most sensitive data of all: our biometric data.


Print Friendly, PDF & Email


  1. The Rev Kev

    If computer systems are going to remain vulnerable, then perhaps other methods may have to be used to mitigate the effects of any such attacks. Going to go way over my skies here so would welcome any technical correction. I would imagine that it would be possible to take an “image” of the system and its installed programs so that it could overwrite and infected or compromised system so that you would have a clean install. But this leaves the databases.

    So perhaps it might be an idea to make it possible to have people receive copies of their files in an encrypted form and authenticated with a hash code. Maybe make it possible for people to upload those encrypted files to a server for free who only stores these encrypted files. That way, if a system has been compromised, a fresh install of the system can be done and the encrypted files retrieved and put back into the system.

    I would imagine that there would be all sorts problems and restriction as to what is possible but the core idea remains the same – that people would be able to store a copy of their own files locally so that all their data eggs are not in one basket so to say. And you could do that for employment, medical, utilities and whatever databases.

    1. Glen

      Its certainly possible to take a snapshot of your PC including any DBs. This is the norm for managing VMs.

      I use this all the time at home, but the use of VMs is discouraged where i work.

    2. topcat

      It is just a matter of money. Like the server centre in Strasbourg that burned to the ground last week causing many (large) companies to lose all of their data because they did not want to pay to have the data mirrored at a different location. Most of these large computer systems are old and seriously underfunded. Everyone just hopes that it won’t happen to them.

    3. Zamfir

      Yeah, this is standard stuff. Windows has a built in system for that, called shadow copy.

      The ransomware software lurks on the system until it has identified where the shadow copies go. It has some tricks to destroy them (including just overwriting) , which it uses in the background before the encryption starts.

      My understanding is that this ryuk software is actively monitored. It’s not fully automated, it’s operators are carefully looking whether it has found all the shadow copies and regular backups, for weeks or months before the strike happens.

      1. Joe

        I’ve never understood why I have no control over who my computer talks to and what information is conveyed or received. That seems an elementary requirement.

    4. H. Alexander Ivey

      Not a technical correction, but just to say you are so far over your skiis, you have a face plant.

      Computer systems are just that, systems. Not isolated parts, existing independently. So if the system gets locked up, you can not restore functionality by “restore from backup”.

      Why not? Because a frozen system is like a forrest that has burned down. Entirely. Now you may think we simply replant the forrest (assuming you had the right plants, the right age and size, and their right locations-you have a backup, right?). True, but the problem is that the land hasn’t stayed still either. Soil has been contaminated and can’t be planted over. The streams and rivers have been changed-changed to prevent another forrest fire, roads have been blocked and new ones carved out for the same security reasons. You can’t plant back ‘cos the road has been moved, etc. Some of the animals won’t come back simply out of fear, out of change, etc. So no, it can’t be simply be restored from backups

      But if you want a technical note, anyone saying “databases can be restored as a solution”, is wrong.
      It”s a system, the databases are just one part, like the big oak trees in the forrest. The PC/Macs are the shrubs, the servers are the roads and streams. Can you restore them too?

  2. Joe

    How can bitcoin, which lives in computer networks, not be traceable? It should be the most traceable thing on the planet.

  3. Bill Smith

    “It can even infect computers that are switched off.”

    How does that magic work?

    Backups, once made, need to be kept off line. Yes it is more work and costs more.

Comments are closed.