Antwerp Belgium flags city center showing ransomware attack disrupted city services

Ransomware Attack Disrupts Antwerp City Services via a Digital Partner

Digital city services of Antwerp, Belgium, went offline after a ransomware attack compromised the city’s digital partner. According to Het Laatste Nieuws (HLN), hackers gained access to servers belonging to the city’s digital services provider Digipolis, impacting almost all windows applications.

The ransomware attack occurred within weeks of Ragnar Locker publishing 16 years’ worth of data, including investigation reports, from Antwerp’s Zwijndrecht police unit.

Ransomware attack disrupts critical Antwerp city services

Local media reported that the ransomware attack affected residential care centers for seniors, especially Antwerp Healthcare Company (Zorgbedrijf Antwerpen).

Johan De Muynck, the general manager of Zorgbedrijf Antwerpen, said the ransomware attack crashed the software that keeps track of who should receive which medication. Subsequently, 18 residential care centers resorted to the manual system forcing staff to rely on paper prescriptions.

However, De Muynck said customers’ personal information was safe as the attack did not compromise any database. The center also implemented an emergency solution to restore phone and support services.

Antwerp’s ransomware attack also impacted schools, daycare centers, police, and fire services. Additionally, Antwerp’s reservation systems became inoperable, thus preventing people from accessing their identity cards.

“For example, we are currently no longer able to issue identity cards. Many of the applications at those counters are federal, and they have preventively closed the lines. Only travel passes can still be collected,” the city’s spokesman told Het Laatste Nieuws.

According to city councilor Alexandra d’Archambeau, the ransomware attack also shut down mail services and a political decision-making platform.

Although some city services became intermittently available, most could remain unavailable until the end of the year, according to Antwerp’s mayor. HLN reported that some city services, such as police databases, were still accessible during the attack. Similarly, emergency services still functioned normally despite the widespread disruption of Antwerp city services.

Councilor d’Archambeau wondered whether Belgium would ever prioritize cybersecurity just as Diest, another Belgian city, confirmed an attack from a threat actor yet to be identified. The attack also compromised Diest’s digital systems, rendering many city services inaccessible.

No cybercrime group has claimed responsibility for the attack on Diest, and the city Mayor Christophe De Graef, said the incident was under investigation. Antwerp prosecutor’s office has also opened an investigation into the ransomware attack on Belgium’s largest city.

Meanwhile, the Belgian government has sent newsletters to its staff on how to prevent cyber attacks. Guidelines include spotting phishing attacks, using strong passwords, verifying contacts before communication, updating software, and limiting privileged access to systems. While such guidelines are welcome in the wake of multiple cyber attacks disrupting city services, their timing is similar to shutting the stable door after the horse has bolted.

Threat group claims responsibility for Antwerp ransomware attack

According to Brett Callow, a threat analyst at Emsisoft, the Play ransomware group listed the city of Antwerp on its data leak site. Additionally, the threat actor claims to have stolen 557 GB of data, including personal information such as ID, passports, and financial documents.

The city of Antwerp has not attributed the ransomware attack to any threat group or disclosed if any ransom demands had been made. However, the Play ransomware group threatened to publish the stolen data in seven days if their unspecified demands were ignored.

Play ransomware group is a relatively new threat actor first detected in June 2022 and attributed to the attack on Argentina’s Judiciary of Córdoba.

The group appends a ‘.play’ extension to encrypted files and drops a ‘.txt’ ransom note on C: drive with contact information.

“This attack on Antwerp isn’t the Play ransomware gang’s first assault on a major governmental entity,” said Carol Volk, BullWall executive. “As larger enterprises and intellectual property-centric organizations further tighten their defenses, we can expect threat actors to shift their attention towards governmental prey.”

According to Volk, ransomware groups perceived city and state governments as more capable and willing to pay ransom to prevent the disruption of essential services.

“To protect their citizens, every city government needs to review their policies and security stacks, and deploy tools that can prevent file encryption and corruption, as well as those that can identify mass data transfers. Protection against profit-motivated actors, as well as nation-state threat actors with even more malicious motives, should be considered a highest level priority in 2023.”