Southern Italy’s city of Palermo suffered a ransomware attack that disrupted municipal services, rendering them unavailable to residents and tourists.
Palermo is home to approximately 1.3 million people, with about 2.3 million tourists visiting the historic Italian city annually.
The cyber incident left people unable to access many digital services and venues or communicate with the city.
Ransomware attack disrupted Palermo municipal services
The suspected ransomware attack on Palermo city disrupted video surveillance management, municipal police operations, online bookings, and digital communication channels.
Subsequently, residents and visitors could not reach public offices via digital systems and relied on outdated fax machines for communication.
Additionally, they could not acquire the limited traffic zone cards required to enter restricted areas, while local authorities could not enforce penalties for violations.
Similarly, visitors and tourists could not access tickets to the Massimo Theater and other facilities that require online booking.
Palermo municipality had received threats from the Killnet hacking group. The Russian cybercrime gang targeted countries supporting Ukraine during Putin’s invasion.
Killnet disrupts its victims’ operations via distributed denial of service (DDoS) attacks. The group had declared war on the “fake Italian government” and at least eight other countries.
Palermo municipal services could remain unavailable longer than expected
Paolo Petralia Camassa, the innovation councilor for the municipality of Palermo, warned that it could take longer than anticipated to restore the impacted municipal services.
Councilor Camassa explained that various systems were taken offline and isolated from the network, a typical response for a ransomware attack.
Similarly, Palermo Municipality said it was trying to restore municipal services by reconstructing its systems from backups, some of which were partially corrupted during the suspected ransomware attack.
Additionally, the city disclosed that the ransomware attack affected the entire network infrastructure and all workstations connected. The city was preparing a small private network connected to a few verified workstations.
These disclosures suggest the restoration of Palermo municipal services could take much longer than anticipated.
However, the city hired the IT firm SISPI to assist in reconstructing its IT systems to hasten the restoration of the disrupted municipal services.
Vice Society took responsibility for the Palermo municipality ransomware attack
The ransomware group Vice Society took responsibility for the Palermo cyber attack. Like other ransomware gangs that operate on the double extortion policy, Vice Society threatened to publish the stolen data.
However, the ransomware gang did not specify the nature of the stolen data. Similarly, the city of Palermo did not confirm if the attacker accessed personal data during the cyber security incident.
The Italian website Cybersecurity360.it reported that hackers accessed sensitive documents such as birth, marriage, family, and residence status certificates. Camassa said SISPI had taken the necessary measures to mitigate data violations.
However, the city of Palermo could be subject to GDPR fines for failing to prevent the data breach by having proper protections. The municipality has complied with the GDPR reporting requirements and notified the data and privacy protection agency within three days as required.
Palermo city has not officially confirmed the ransomware attack or disclosed the attack vector leveraged by the ransomware gang.
However, Vice Society is known for exploiting known operating system and application vulnerabilities. In 2021, the cyber gang exploited the Windows print spooler vulnerability, PrintNightmare, to compromise its victims.
The gang lists the De Montfort School and St Paul’s Catholic College as some of its latest victims.
“Whether or not the cyberattack on the city of Palermo is a ransomware attack is still to be confirmed by authorities,” W. Curtis Preston, Chief Technical Evangelist, Druva, said. “However, irrespective of the exact nature of the attack, it is clear that their systems were shut down to identify and contain the threat.”
Preston noted that restoring municipal services should be a priority regardless of the nature of the incident. He suggested that hackers had compromised administrator accounts after residing on the network for some time.
“The challenge they will face next will be identifying the last clean backups for each system so that restoring data does not reintroduce the malware or files that may have been tampered with,” he concluded.