Cyber Incident Victim: Timrå Municipality
Date:
May 2017
Location:
Sweden
Summary
Timrå Municipality experienced a widespread ransomware attack involving a new variant of WannaCry malware that encrypted files on Windows systems, affecting at least 70 computers with projections of up to 100 compromised devices. The attack disrupted administrative operations, forcing some departments to halt work, but critical services such as home care and elderly residences remained unaffected. No ransom was paid, as officials relied on secured backups to maintain normal operations. The incident underscored organizational vulnerabilities to malicious software, causing significant operational disruptions but no immediate risks to public health or safety.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the afternoon of May 12, 2017, Timrå Municipality experienced a significant cyberattack as part of the global WannaCry ransomware outbreak. Shortly before 3:00 PM, multiple municipal computers displayed blue then black screens before automatically rebooting. Users encountered a message stating their files had been encrypted and demanding payment for restoration. The attack rapidly spread through vulnerable Windows systems, exploiting network vulnerabilities to encrypt both local files and shared network resources. By the end of the workday, approximately 70 computers had been compromised, with municipal leadership anticipating potential infection of up to 100 systems before containment. Administrative operations were forced to halt where affected computers rendered staff unable to perform their duties, though critical care services remained operational.
Municipal CEO Andreaz Strömgren confirmed immediate prioritization of life-critical services, verifying that home care, nursing homes, and healthcare planning systems remained unaffected. The municipality did not pay any ransom, relying instead on secured backups to maintain essential operations. Emergency response protocols were activated to contain the spread across networked systems. Forensic analysis identified the threat as a new variant of WannaCry ransomware propagating through vulnerable network-connected devices. While no perpetrator attribution was established, the incident caused substantial operational disruption across non-critical administrative functions. Strömgren characterized the event as demonstrating systemic vulnerabilities to malicious code despite maintaining core service continuity through existing data protection measures.