IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Palermo ransomware attack: Vice Society claims responsibility as city details recovery strategy

The Italian municipality is attempting to defy attackers by restoring its systems from backups

The cyber attack on the Italian municipality of Palermo has been confirmed as a ransomware incident, with Vice Society claiming responsibility. 

The incident appears to be an example of double extortion ransomware, given that Vice Society’s victim page indicates that a set of documents belongong to Palermo will be published at 13:15 (BST) on Sunday 12 June.

The nature of the stolen data has not been specified and Palermo has not confirmed any of its data has been exfiltrated, though it has confirmed a cyber attack took place and said data theft was a possibility.

The city issued a press release Thursday afternoon, confirming the attack to be ransomware and detailing the processes the municipality has taken to contain the incident.

Digitally translated from Italian to English, the press release confirmed that the attack affected the “entire telematic infrastructure” of Palermo’s data centre, “including all the workstations distributed at the offices of the municipal administration of Palermo connected to it”, leading to a total interruption of services.

Palermo is attempting to restore its systems from backups, the press release indicated, though some of its backups were corrupted in the attack. It said its Veeam server was unavailable, as was its VMware infrastructure. It is now relying on other backups from its Arcserve recovery solution and the remaining accessible data from its Oracle database and NetApp storage.

Palermo’s recovery process will involve preparing a private network, closed off only to a small number of verified workstations. It will then attempt to re-install basic infrastructure and then attempt to restore workstations before re-adding them to the network.

The municipality also confirmed that it notified the relevant data protection authorities within three days of the attack, per GDPR’s legal requirements.

Screenshot of Vice Society ransomware gang's blog claiming the hack on Palermo

It made no indication that it was prepared to pay the ransom demands, a currently unknown sum, from Vice Society.

A number of the city’s websites are unreachable, at the time of writing, including the city’s official website and SISPI, the IT service management system of Palermo.

Related Resource

Securing endpoints amid new threats

Ensuring employees have the flexibility and security to work remotely

Whitepaper cover with image of female employee working at home on laptopFree Download

“While we are still unsure of the full impact of the hack, even if the municipality has been successful in taking systems offline to prevent the spread of ransomware, it has still resulted in real-life issues for both the authorities and residents of the community,” said Ian McShane, VP of strategy at Arctic Wolf, speaking to IT Pro. “With municipal police services taken down and residents forced to rely on fax machines to communicate with city officials.

“Unfortunately, public sector organisations are often in a worse position than some private companies when it comes to cyber security. Often with smaller budgets than large multinational corporations, it can be difficult for them to attract talent by offering competitive salaries. This results in teams being overstretched and overwhelmed with issues.”

Palermo confirmed the attack hours after the initial breach on 2 June and many of the municipality’s IT systems were shut down and isolated from its network as a result, Paolo Camassa, deputy mayor of Palermo, said via Facebook.

“Activities are underway to evaluate the nature and consequences of the accident. Services are currently unavailable and there may be any inconvenience in the next few days for which we apologise in advance,” his statement read, translated digitally.

“The SISPI has already set up a technical team to manage the event and the necessary measures have been put in place to remedy possible violations of personal data and communication is being provided to the competent authorities.”

Italy under siege

When the cyber attack was first discovered, the nature of it was unclear. Initial speculation from outsiders was that it was conducted by the pro-Russia Killnet hacking collective which ‘declared war’ on Italy, and nine other countries, mere days before the ransomware attack.

Killnet mounted an offensive against Italy after the country’s Computer Security Incident Response Team (CSIRT) thwarted the hackers’ attempted attack on the Eurovision Song Contest’s voting systems – an unsuccessful bid to stop Ukraine from winning.

The threat of distributed denial of service (DDoS) attacks launched by Killnet on Italian organisations prompted the country’s CSIRT to issue a warning to all public and private sector organisations of impending attacks.

Those thought to be at particular risk were government departments, utility companies, and any business with a brand identity linked to Italy.

A change in tack from ransomware gangs?

Since the infamous ransomware attack on Colonial Pipeline that brought the east coast of the US to its knees last year, ransomware gangs were thought to be adjusting their targeting models to avoid atatcking the largest organisations and drawing serious attention from law enforcement.

The thnking was re-iterated earlier this year in a joint advisory published by the UK’s National Cyber Security Centre (NCSC) and the US’ Federal Bureau of Investigation (FBI).

The Colonial Pipeline incident prompted the Biden administration to start treating ransomware attacks in much the same way as terrorist attacks.

There have not yet been any ransomware cases that have led to the prosecution of anyone under terrorism laws, but the threat was thought to be enough to stop attacks on targets as significant and large as the likes of Palermo and also recently, Costa Rica.

The attack on Palermo, following the double ransomware attack on Costa Rica, raises questions about the motives of ransomware actors and whether they are once again attempting to target larger organisations, and in recent cases entire countries.

Vice Society’s attack could simply be an extension of its well-documented modus operandi – to hack organisations after exploiting known, unpatched security vulnerabilities.

“While there hasn’t been a lot of information released about the attack to date – only that all key systems have been taken down while the incident response activities are ongoing – the gang are known for exploiting recognised vulnerabilities within systems, but this is quite common among ransomware gangs,” said Cliff Martin, head of cyber incident response at GRC International Group, speaking to IT Pro.

“There are many ransomware gangs around so I wouldn’t suggest that all gangs have the same approach when it comes to who they target and how they achieve their objectives,” he added. “It is likely that the gang came across the vulnerable systems and took advantage of the opportunity. Sites like Shodan index internet-facing systems and provide attackers with information they can use to target certain systems/organisations.”

Cisco Talos security researchers noted last year that Vice Society was using the vulnerabilities in Windows’ print spooler service, known as the PrintNightmare flaw, in ransomware operations.

The same researchers also noted that it has a history of targeting public institutions, namely in the education sector.

Vice Society’s blog currently shows the De Montfort School and St Paul’s Catholic College as two of its most recent victims, both in the education sector and based in Worcestershire and Surrey respectively.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022