Cyber Incident Victim: Ayuntamiento Requena
Date:
Nov 2022
Location:
Spain
Summary
A ransomware attack targeted a municipal council in Valencia, encrypting user data and necessitating system shutdowns. The BlackCat group claimed responsibility, demanding $500,000 in Bitcoin and subsequently leaking stolen files. Operational disruptions persisted for over a week, crippling critical infrastructure including payroll systems and forcing partial salary payments to employees. The incident severely impacted administrative functions and public services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 27, 2022, Ayuntamiento de Requena (Requena City Council) in Valencia, Spain, experienced a cyberattack that encrypted user data across its systems. The following day, November 28, the municipal government issued an official resolution publicly disclosing the incident and confirming the forced shutdown of critical infrastructure to contain the compromise. Attackers deployed ransomware, paralyzing administrative operations for at least 10 consecutive days according to subsequent reports. The Levante news outlet detailed a ransom demand of $500,000 in Bitcoin (BTC) issued by the threat actors, though the council’s resolution did not explicitly confirm this amount. Critical municipal services were disrupted, including the payroll processing system, which prevented approximately 200 municipal employees from receiving their full salaries during the outage. Officials managed to distribute partial payments but could not restore normal payroll operations until systems were recovered.
The BlackCat (ALPHV) ransomware group claimed responsibility for the attack shortly after the incident, listing Ayuntamiento de Requena on its leak site and publishing a selection of exfiltrated files as proof of the breach. The group’s involvement indicated a double-extortion tactic, combining data encryption with threats to release stolen information unless ransom demands were met. No public statements from the city council confirmed whether negotiations occurred or whether decryption keys were obtained. The 10-day operational paralysis extended beyond payroll systems, though the resolution did not specify additional affected services beyond generalized system unavailability. Municipal operations faced prolonged recovery efforts, with no immediate timeline provided for full restoration of all encrypted data or confirmation of permanent data destruction by the attackers. The incident highlighted significant disruptions to local governance and employee welfare due to the targeting of critical administrative infrastructure.