Cyber Incident Victim: Comune di Cagliari

On June 27, 2021, the Municipality of Cagliari publicly disclosed a disruptive cyber incident through a notice on its website, attributing widespread service interruptions to a computer virus. The attack significantly degraded the functionality of municipal information systems, impacting both in-person counter services and call center operations. Officials characterized the event as requiring "extraordinary maintenance intervention" to restore operations, advising residents to avoid visiting municipal offices except in cases of extreme urgency and to prioritize online services where possible. Internal communications obtained by EveryEye revealed the municipality instructed employees via WhatsApp message to keep all office computers powered off with network cables disconnected—a containment measure explicitly intended to prevent further propagation of CryptoLocker ransomware. This directive indicated the malware’s presence in municipal systems, though authorities did not publicly confirm the ransomware variant at the time of their initial statement.

By June 28, municipal services began resuming operations, though functionality remained reduced due to continued maintenance activities. The municipality confirmed restoration progress in subsequent updates but cautioned that service limitations would persist through at least June 29 as recovery efforts extended. The incident caused sustained operational disruption across multiple public-facing channels, forcing adaptations in citizen engagement strategies during the remediation period. No details regarding ransom demands, payment status, or initial infection vectors were disclosed in available communications. Containment relied heavily on isolation protocols for endpoint devices alongside infrastructure maintenance, reflecting a response prioritizing system integrity restoration over immediate public disclosure of technical specifics.