“We will sell your data:” Spanish top radio station held hostage by Russian hackers
A popular Spanish radio station with over a million listeners has been hit by attackers who are known for causing chaos and demanding huge amounts of money.
KISS-FM has become the latest high-profile target of the Russia-linked ransomware gang Rhysida, which is now auctioning the station’s alleged stolen data on the dark net.
Rhysida has listed KISS-FM among its newest victims on its leak site, demanding three bitcoins, which amounts to around $300,000, and giving the company a seven-day timeframe to pay before they sell or leak the stolen data.
Posts like these on the dark net are a common attempt to pressure companies into paying ransoms. The Rhysida group is known for double extortion tactics, meaning that hackers not only lock up data with ransomware, but also threaten to leak it unless the company pays.
“Seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!” claim the attackers on the post.
To prove their claims are legitimate, the gang provided low-quality screenshots with stolen data samples. Cybernews has inspected the images, which indicated that among stolen data could be:
- Possible audience rating logs
- Documents exchanged between the company and Spain’s Ministry of Digital Transformation
- Possible invoices
Based on the provided screenshots, there are no clear signs that employee personal data was stolen. However, this cannot be confirmed, as the full extent of the breach remains unknown.
“Although the details of allegedly leaked documents are not fully clear, generally this kind of data exposure could cause loss of public trust, invite scrutiny under Spain’s data protection and GDPR regulations, and disrupt business relationships,” our researchers explained.
Cybernews has reached out to the company for clarification on whether any cyber incident took place and if the claims are legitimate. A response has yet to be received.
The KISS-FM station is owned by the Spanish media group Mediaset España, which operates a couple TV channels and a film production company. The company boasted €2.95 billion in annual revenue last year.
Mediaset España is a subsidiary of the Italian-based company MediaForEurope N.V. (MFE), which is majority-owned by the Berlusconi family.
What is Rhysida ransomware?
The gang is known for going after “targets of opportunity” and has infiltrated various sectors, including education, healthcare, manufacturing, and local governments, according to an updated US Defense Department profile on the gang.
Security researchers at Barracuda noted that the group appears to be either from Russia or a country in the Commonwealth of Independent States (CIS), which includes former Soviet Union nations like Belarus, Kazakhstan, and others.
In its latest operation, Rhysida was caught phishing users using Microsoft Teams, Zoom, and PutTy with malvertisments, aiming to infect their devices with malware and gain access to company data via employees using these platforms.
According to Cybernews' dark web monitoring tool Ransomlooker, the gang has claimed more than 236 victims on its dark blog since its inception in May 2023.
In September, the gang claimed to have breached the Maryland Department of Transportation (MDOT), which operates one of the largest ports in the USA. Data samples of stolen information included passports, IDs, background checks, and other sensitive documents.
In August, a Rhysida attack caused chaos at the Cookville Regional Medical Center, serving the surrounding Tennessee and Kentucky regions. The gang posted over a dozen data samples containing patient information, and the outage prompted IT teams to work around the clock to restore the systems.
In May, the gang claimed to have attacked Peru's government systems. The official government website manages the National Identification Registry, which includes passports, taxpayer information, health insurance, police records, labor records, and more. The Peruvian government denied the ransomware attack.
It has also claimed to have breached one of Brazil’s biggest auto dealerships, named Carrera. Among the allegedly stolen sensitive data were passports and contracts. The gang asked for a ransom of $1 million.
Back in January, the Rhysida gang claimed it had cracked into the servers of Montreal-Nord, a borough in Quebec province, and slapped them with a $1 million ransom demand.
In the last quarter of 2024, Rhysida also made headlines by targeting the Seattle-Tacoma International Airport with a 100 BTC ransom demand. The attack wrecked critical systems and triggered a multi-week outage that brought one of the West Coast’s busiest hubs to its knees.
Airlines like Delta, Singapore, and Alaska were reportedly forced to go full analog and issue handwritten boarding passes.
The same year, the gang claimed a major US news outlet, the Washington Times as a victim. It claimed to be selling the Washington Times' “exclusive” data in an online auction for five bitcoins.
Unlock more exclusive Cybernews content on YouTube.
