Ransomware in Spain 2026: Landscape, Targeted Sectors and Response

Ransomware is a class of malware that encrypts files and demands a payment to restore access, now combined with prior data exfiltration and sustained public pressure on the victim. In Spain during 2026, it remains the leading cause of serious incident notifications under NIS2 and the threat with the largest operational and reputational impact on mid-market and large enterprises, public administrations and essential service operators. Criminal activity has shifted after the LockBit disruption, yet overall volume has not dropped.

This guide offers an executive and technical reading of the Spanish landscape: which sectors are absorbing more incidents, which groups operate against organisations on Spanish soil, how to fit response into the regulatory framework and which controls to prioritise for 2026.

Key takeaways

• Active groups against Spain in 2026: LockBit successors and forks, RansomHub, Play, Akira, 8Base and opportunistic operators relying on infostealers.
• Most targeted sectors: healthcare, manufacturing, local and regional public administration, retail and tourism, education, financial services under DORA pressure.
• Dominant model: double and triple extortion (encryption, data leak, pressure on clients and regulators).
• Regulatory framework: NIS2 (24h early warning), GDPR (72h if personal data is involved), DORA in banking and insurance, ENS for the public sector.
• Effective response: fast containment, forensic preservation, coordinated communication with INCIBE-CERT or CCN-CERT, recovery from verified backups.

2026 Landscape: What Is Changing

Ransomware in Spain is not a new threat, but its shape has visibly changed since 2024. The international disruption of LockBit infrastructure in February 2024 (Operation Cronos) and the partial retreat of BlackCat/ALPHV following the Change Healthcare episode reshuffled the ecosystem. Affiliates, who are the real operational muscle, quickly redistributed toward RansomHub, Play, Akira, 8Base and new brands surfacing in 2025 and 2026.

Public reporting from INCIBE-CERT, CCN-CERT and annual references such as Mandiant M-Trends converge on several trends relevant to Spanish companies:

• Shorter dwell time: encryption is often executed less than 5 days after initial access, narrowing the detection window.
• Initial access via valid credentials dominates: infostealers (Lumma, RedLine, Stealc), prior breaches and RDP/VPN without MFA. Phishing is still present but now competes with access bought from Initial Access Brokers.
• Increased pressure on the victim: direct outreach to clients, journalists, regulators and executives to force payment.
• Growing focus on ESXi hypervisors and virtualised environments to maximise impact with a single binary.
• Reuse of leaked source code (LockBit 3.0 builder, Conti) by smaller groups and opportunistic operators.

Two realities coexist in Spain. On one side, large organisations with an internal SOC or a managed SOC service detect and contain in time. On the other, a broad fabric of industrial SMEs, town councils, clinics and education providers with exposed surface, no EDR and non-immutable online backups. That second reality remains the most profitable target for criminal groups.

Most Targeted Sectors in Spain

Multiple public cases have been documented across each of these sectors. The best-known historical reference in healthcare is the Hospital Clínic de Barcelona incident in 2023. In the public sector, the SEPE case in 2021 marked a turning point in awareness. Without disclosing confidential matters, Spanish CSIRTs have been reporting a sustained trend of serious incidents in healthcare, manufacturing and local administration.

Active Ransomware Groups Against Spanish Companies

The group landscape shifts every quarter. These are the most relevant actors for a Spanish organisation in 2026, described without glamorising their activity:

• LockBit successors and forks. After their infrastructure was disrupted, part of the affiliate base migrated to other brands, but LockBit 3.0 builders and leaked code remain in use by smaller operators. Typical vector: VPN without MFA, exposed RDP, perimeter vulnerabilities.
• BlackCat/ALPHV (historical reference). Operated until 2024 with a sophisticated RaaS model and Rust binaries capable of encrypting Windows, Linux and ESXi. Its technical legacy influences several current groups.
• Play. Active and steady. Combines perimeter vulnerability exploitation (Fortinet, remote management products) with intensive use of living-off-the-land tooling. Usually encrypts after several days of exfiltration.
• RansomHub. Emerged in 2024 as an affiliate-friendly RaaS with aggressive terms. Absorbed profiles previously operating in ALPHV and LockBit. Broad targeting, including Spanish victims in industry and services.
• Akira. Known for its retro aesthetic and for hitting mid-market companies. Frequent vectors: Cisco VPN without MFA, stolen credentials. Encrypts Windows and ESXi.
• 8Base. Combines a Phobos rebrand with active double extortion. Predominantly opportunistic against SMEs with exposed surface.

Alongside these, a growing volume of opportunistic operators mixes purchased access from marketplaces, leaked builders and exfiltration with tools such as RClone or Mega. They are not branded groups, but they generate equally severe incidents.

The Double and Triple Extortion Model

Modern ransomware rarely stops at encryption. The standard chain in 2026 looks like this:

1. Initial access (valid credentials, phishing, perimeter vulnerability, supply chain).
2. Reconnaissance and lateral movement for days or weeks.
3. Exfiltration of sensitive data before encryption, using legitimate channels to evade DLP.
4. Mass encryption of servers, NAS and hypervisors.
5. Double pressure: payment to decrypt plus payment to prevent leak site publication.
6. Optional triple pressure: calls or emails to clients, regulators and media; additional DDoS attacks; direct outreach to executives.

The regulatory implication is clear. If personal data is exfiltrated, the duty to notify the Spanish AEPD within 72 hours under GDPR is triggered. If the organisation qualifies as essential or important entity under NIS2, the early warning to the competent CSIRT within 24 hours applies, with a full report following. In banking and insurance, DORA adds specific reporting to the sector supervisor. In the public sector, ENS and CCN-CERT define the procedure. These obligations are not paused by an ongoing incident response.

Predominant Initial Access Vectors

Five vectors account for the vast majority of initial access in ransomware incidents against Spanish companies. Each maps to concrete controls:

• Phishing with malicious attachment or link. Still a classic vector, now with social engineering enhanced by generative AI. Prevention: advanced email filtering with sandboxing, periodic training with simulations, phishing-resistant MFA (FIDO2) on privileged accounts. More context in how to avoid phishing.
• Exposed perimeter vulnerabilities. Citrix NetScaler, Fortinet SSL VPN, Ivanti products, on-premise Exchange, remote management devices. Prevention: continuous external surface inventory, patching within SLA, decommissioning legacy services, subscription to critical CVE feeds and immediate mitigation deployment.
• Stolen credentials (infostealers, RDP, dumps). Lumma, RedLine, Stealc and similar steal tokens, cookies and credentials sold on to Initial Access Brokers. Prevention: universal MFA on external access, monitoring of leaked credentials, strict RDP control (no internet exposure, use of bastion, MFA), password policies aligned with NIST SP 800-63B.
• Supply chain and MSP compromise. IT support providers, integrators and remote management software used as a doorway. Prevention: contractual security clauses, segmentation of third-party access, MFA and dedicated accounts for external support, monitoring of privileged third-party account activity.
• SaaS platform vulnerabilities and cloud misconfiguration. Overly permissive OAuth grants, exposed buckets, cloud identities without MFA. Prevention: CSPM, periodic IAM role review, conditional MFA, least privilege.

Regulatory Mapping: NIS2, DORA, GDPR, ENS

A ransomware incident in a Spanish company triggers several obligations that coexist and must be managed in parallel from the first hour.

• NIS2. Applies to essential and important entities under the Spanish transposition. It requires an early warning within 24 hours to the competent CSIRT (INCIBE-CERT or CCN-CERT depending on the case), an incident notification within 72 hours with initial assessment, and a final report within one month. The operational guide is detailed in NIS2 audit step by step.
• GDPR. If the incident compromises personal data, notification to the AEPD within 72 hours is mandatory unless absence of risk can be justified. If risk is high, affected individuals must also be notified. Exfiltration inherent to the double extortion model almost always triggers this duty.
• DORA. For financial entities and insurers, it adds specific reporting to the supervisor (Banco de España, CNMV, DGSFP as applicable) within defined timeframes. Incident traceability and continuity evidence are inseparable from the technical response. We cover this in depth in the DORA compliance guide for financial entities 2026.
• ENS. In the public sector or for providers serving public sector clients, the procedure is channelled through CCN-CERT and notification adjusts to the system category. See ENS certification: complete guide.

A single incident commonly triggers all of these duties at once. Prior preparation (notification templates, contacts, severity criteria) is the difference between meeting and missing the deadlines.

Incident Response to Ransomware: Condensed DFIR Protocol

An operational response protocol boils down, in practice, to these steps. The detail is agreed in the internal playbook and tested in tabletop exercises at least annually.

1. Detection and activation of the crisis committee. Confirm the incident, activate the response team (internal and external provider if a retainer exists), notify leadership and legal counsel.
2. Immediate containment. Isolate affected segments, disable compromised accounts, sever connectivity for compromised systems without shutting them down so volatile memory is preserved.
3. Forensic evidence preservation. Memory dumps, forensic images of key endpoints, log copies (firewall, EDR, AD, VPN, email) to WORM storage. Traceability is critical for analysis and for regulators.
4. Triage and analysis. Identify initial vector, scope of compromise, exfiltrated data, indicators of compromise, possible persistence. With a DFIR retainer, this phase is led by the provider.
5. Communication and regulatory notifications. Notify the competent CSIRT (INCIBE-CERT for the private sector, CCN-CERT for the public sector), AEPD if applicable, DORA supervisors if applicable, clients and stakeholders as per contract.
6. Eradication. Remove persistence, rotate credentials at scale (including Kerberos krbtgt twice), rebuild compromised systems, patch the initial vector.
7. Recovery. Restore from verified backups, validate integrity before reconnecting, phased return to production with reinforced monitoring.
8. Lessons learned. Honest post mortem, response plan update, control adjustments, communication to leadership and, where appropriate, to clients.

Contact with INCIBE-CERT happens through the official channels published on its website and the incident notification form. For the public sector, CCN-CERT maintains equivalent channels via LUCIA and direct notification.

Technical Prevention for 2026

Ten concrete controls, ordered by real impact on the probability and severity of a ransomware incident. None is optional for a company with critical data.

• 3-2-1-1-0 backups with immutable and offline copy. Three copies, two media, one offsite, one immutable or air-gapped, zero errors verified through real restoration drills. This control separates days of recovery from months.
• Universal MFA on perimeter and administration. VPN, RDP, email, admin panels, cloud. No exceptions for privileged accounts. Phishing-resistant MFA (FIDO2) where possible.
• EDR/MDR deployed on 100% of the estate. Visibility, detection and automated response. Without a 24x7 internal team, contract MDR. The first hours are decisive.
• Real network segmentation. Isolation of critical servers, OT separated from IT, datacenter microsegmentation, administration environment segregation. Limits the blast radius.
• Hardening of RDP, SSH and remote access. RDP never exposed to the internet, mandatory bastion, logging and recording of privileged sessions.
• Patching within SLA with perimeter focus. Critical CVEs in perimeter systems patched in under 72 hours. Continuous external surface inventory. More in cybersecurity audit for business: scope and method.
• Awareness and phishing simulations. Continuous programme, not a single annual session, with per-department metrics. The user remains a real line of defence.
• Proactive threat hunting. Active search for indicators of compromise, anomalous behaviour analysis, hypotheses driven by TTPs of groups relevant to the sector.
• Tested business continuity and recovery plan. Documented procedures, annual exercises, realistic RTO/RPO, defined crisis chain of command.
• Cyber insurance with reviewed terms. Honest reading of exclusions, minimum control requirements set by the insurer (commonly MFA and EDR), effective coverage of response and recovery.

Pay or Not Pay the Ransom?

In Spain, paying a ransom is not illegal in itself, yet both INCIBE and CCN-CERT and the main international CSIRTs recommend against it. Several technical and legal reasons should be kept in mind.

• Payment does not guarantee recovery. There are documented cases of faulty decryptors, data not returned despite payment, and subsequent publication of exfiltrated data.
• Risk of international sanctions. If the group or its operators are listed under sanctions (OFAC in the US, EU lists), payment may trigger liability for the paying company and any intermediary.
• Funding the criminal ecosystem. Each payment increases the profitability of the model and the likelihood of further attacks against the same sector.
• Reputational and corporate governance implications. The decision must be an explicit board call, recorded, and communicated as per applicable regulatory framework.

The standard recommendation is to prioritise recovery from verified backups, manage data leakage as a security breach and handle communication with clients and regulators through controlled transparency. Payment should be the last resort, evaluated with specialised legal counsel and informed knowledge of the specific group.

Frequently Asked Questions

Is paying the ransom illegal in Spain?

Paying a ransomware ransom is not specifically criminalised in the Spanish Criminal Code as of 2026. However, if the criminal group or its operators are listed under international sanctions (OFAC, EU), the payment can trigger liability for funding sanctioned activities, including for any intermediary that processes the transaction. INCIBE and CCN-CERT advise against payment as general policy. The decision must be taken with specialised legal counsel, explicit internal documentation and awareness that it does not guarantee recovery or attacker silence.

How long does a typical ransomware recovery take?

It depends on backup maturity, encryption scope and availability of technical staff. With verified immutable backups, proper segmentation and a tested plan, a mid-market organisation can resume partial operations in 3 to 7 days, with full recovery in 2 to 4 weeks. Without those controls, the typical range extends to several weeks or months, with significant data loss. The first 72 hours have the largest impact on total time. Prior preparation makes the difference, not heroics during the incident.

Does cyber insurance cover ransom payment?

Some policies do cover it, but effective coverage depends on exclusions and specific terms. Most insurers require minimum controls (perimeter MFA, EDR, tested backups) whose absence can void coverage. Market conditions have tightened since 2023 with extortion sublimits, exclusions for international sanctions and high deductibles. We recommend auditing the policy with a specialist before you need it and verifying that the required controls are actually implemented, not merely declared.

Do affected clients need to be notified?

If exfiltration involves personal data and the AEPD assesses high risk to data subjects, notification to those individuals is mandatory under GDPR. In B2B environments, almost all master agreements include client notification clauses with short deadlines (24-72 hours) for security incidents affecting their data. This communication must be planned before an incident, with templates reviewed by legal and a defined channel. Improvising the message mid-crisis tends to worsen the reputational impact.

What role does CCN-CERT play in a ransomware incident?

The CCN-CERT is the national government CSIRT under the Centro Criptológico Nacional. It is the reference for the public sector and classified systems, and runs the LUCIA platform for incident notification within the ENS framework. It publishes guides, tools, IOCs and issues advisories on active families. In incidents affecting critical infrastructure or the public sector, it coordinates with relevant authorities. For private companies, the main interlocutor is INCIBE-CERT, although CCN-CERT maintains channels for cases with a national security dimension.

Can preventive threat hunting be done against ransomware?

Yes, and it is one of the investments with the best cost to impact ratio. Threat hunting starts from hypotheses about known TTPs of groups relevant to the sector and looks for indicators in logs and endpoints. It detects lateral movement, persistence, exfiltration tooling and typical precursors before encryption. It can be operated internally with a SOC staffed by senior analysts or outsourced as a service. The difference with a reactive SOC is proactivity: instead of waiting for the alert, the team goes looking for what the attacker already did and nobody noticed.

Related Resources

• What is ransomware: technical definition, families and defence
• NIS2 audit step by step for European companies
• DORA compliance guide for financial entities 2026
• ENS certification: complete guide
• Cybersecurity audit for business: scope and method
• Types of malware most relevant to enterprises
• What is INCIBE and what it does for companies

Response and Prevention with Secra

At Secra we work ransomware posture on three levels. First, a rapid ransomware posture audit in 5 to 7 days: review of exposed surface, perimeter MFA, real backup status, EDR coverage, segmentation and continuity plan. We deliver an executive report with prioritised risks and a 90-day action plan.

Second, a DFIR retainer: incident response contract with agreed activation times, preconfigured access and joint playbook. If the incident happens, no time is lost in the first hours handling contracts.

Third, continuous threat hunting aligned with the TTPs of groups relevant to your sector.

If your organisation operates in healthcare, industry, retail, banking or the public sector and you want an honest technical conversation about where you stand and what to prioritise, get in touch with our team at /en/contact/.