The Russian-linked ransomware gang Rhysida has claimed responsibility for an attack against KISS FM, a leading Spanish radio station operated by Mediaset España. The group alleges it exfiltrated sensitive data and is demanding a ransom of three bitcoins (about 300 000 U.S. dollars) to prevent the public release or sale of the stolen information.
How the Ransomware Attack on KISS FM Unfolded and What Was Stolen
On November 5 2025, Rhysida listed KISS FM as a new victim on its dark-web leak portal. In its post, the gang claimed to have breached the radio network’s servers and stolen nearly two million files containing internal documents, audience analytics, and financial communications.
The group published screenshots of allegedly stolen materials, which researchers believe include:
- Internal correspondence between KISS FM and Spain’s Ministry for Digital Transformation
- Audience-rating reports and programme performance data
- Invoices, advertising contracts, and technical infrastructure details
While employee or listener personal information has not yet been confirmed among the exposed data, analysts warn that the nature of the breach could still pose serious reputational, regulatory, and financial consequences for Mediaset España.
“Media organisations operate on public trust and timing. A ransomware incident that interrupts broadcasting or exposes business dealings can cause ripple effects across their entire advertising ecosystem,” security researchers observed.
Why Rhysida Is Expanding to High-Visibility Media Targets Across Europe
Rhysida has built a reputation for double-extortion tactics—encrypting victim systems while simultaneously threatening to release exfiltrated data if ransom demands go unmet. Since emerging in 2023, the gang has targeted more than 230 organisations, including universities, hospitals, and government institutions.
The attack on KISS FM suggests a shift in focus toward high-visibility entities where operational disruption quickly attracts attention. By targeting a national broadcaster with millions of listeners, the group amplifies psychological pressure to pay the ransom, fearing the fallout from public embarrassment, data leaks, and service outages.
Security analysts also note that Rhysida’s technical operations mirror those of other Russia-linked threat groups, with the use of custom PowerShell scripts, lateral-movement tools, and data-exfiltration frameworks commonly seen in recent European cyber incidents.
The Potential Fallout for Mediaset España and Spain’s Broadcasting Sector
KISS FM’s parent company, Mediaset España, generates roughly 2.95 billion euros in annual revenue, making it one of Spain’s most prominent media conglomerates. If Rhysida’s claims prove accurate, the breach could trigger significant scrutiny from Spain’s data-protection authority under the General Data Protection Regulation (GDPR).
Beyond fines and reputational harm, media-sector ransomware attacks often lead to:
- Broadcast interruptions and loss of advertising slots
- Delays in content distribution and programme delivery
- Legal liabilities involving leaked commercial agreements
- Erosion of public and partner trust in the brand
Security experts urge KISS FM to conduct an immediate digital-forensics investigation, audit network-access logs, and verify whether broadcast or editorial systems were affected. Transparent communication with regulators, advertisers, and the public will also be crucial to mitigate long-term reputational damage.
Strengthening Cyber Resilience in the Media Industry
This latest breach underscores the vulnerability of Europe’s media landscape, where interconnected production systems and real-time broadcasting networks create ideal conditions for ransomware intrusion. Cybercriminals exploit these dependencies to maximise disruption and extortion leverage.
Experts recommend that broadcasters:
- Implement network segmentation to isolate production and corporate systems
- Regularly test data-backup and disaster-recovery plans
- Employ endpoint detection and response solutions to monitor lateral movement
- Conduct phishing-resilience training for staff and contractors
The KISS FM incident highlights that even entertainment and broadcasting companies, traditionally outside the cybersecurity spotlight, are now frontline targets in ransomware campaigns driven by financial gain and public-impact potential.
