Cyber Incident Victim: City of Kammeltal
Date:
Apr 2021
Location:
Germany
Summary
The City of Kammeltal experienced a cyberattack involving a trojan that encrypted files and demanded ransom, rendering documents inaccessible and corrupting data into unreadable formats. While security-sensitive information remained unaffected due to prior outsourcing, operational documents, forms, and official templates were lost. The attack, suspected to originate from a malicious email attachment, prompted immediate police investigation. Recovery feasibility was uncertain, leading to anticipated delays in administrative services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 14, 2021, the Bavarian municipality of Kammeltal experienced a disruptive cyberattack targeting its computer systems. Executive Director Ernst Walter discovered the incident upon attempting to access files, finding only corrupted data described as "a salad of letters" instead of normal documents. The attack involved a trojan that encrypted or formatted files, rendering them inaccessible. Critical operational documents—including forms, templates for the official journal, and materials necessary for party traffic (citizen-government interactions)—were permanently lost. Municipality officials confirmed no security-relevant data was compromised, as such information had been previously outsourced to external systems. Mayor Thorsten Wick emphasized this segregation prevented broader data exposure, though the loss of administrative documents significantly impaired daily operations. Initial forensic analysis suggested the malware entered the system via a malicious email attachment, though this vector remained unconfirmed during the initial response phase.
The municipality promptly notified law enforcement, initiating a police investigation into the attack’s origin and methodology. A public statement acknowledged the total corruption of files and uncertainty regarding data recovery capabilities. Operational disruptions necessitated longer processing times for citizen services, with officials requesting public understanding during restoration efforts. While the attackers issued a ransom demand, the municipality did not disclose whether payment was considered or negotiated. Notably, officials implied German municipalities might be less frequent ransomware targets due to perceived barriers to extortion, contrasting with trends observed in U.S. local government attacks. The incident remained under active investigation with no public attribution to specific threat actors or disclosure of the malware variant used. Recovery efforts focused on restoring administrative functions from backups where possible, though the permanent loss of certain unstructured documents persisted as a primary operational impact.