Cyber Incident Victim: Vincennes
Date:
Nov 2020
Location:
France
Summary
The city of Vincennes experienced a ransomware attack targeting its IT systems, resulting in encrypted data and operational disruptions including the closure of telephone reception services. While no ransom demand was immediately received, the attack exhibited characteristics of ransomware operations, with indications that data may have been stolen. Technical teams identified the initial attack vector but did not disclose it publicly. Suspicious communications from municipal departments were attributed to altered workflows during pandemic-related confinement rather than the cyberattack. Unconfirmed traces of Emotet malware were reported, though these findings lacked corroboration from relevant threat intelligence services at the time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 3, 2020, the city of Vincennes officially disclosed via press release, Facebook, and Twitter that its information systems had suffered a coordinated cyberattack during the overnight hours of November 2-3. Municipal authorities characterized the incident as unprecedented in intensity for the city, occurring despite reinforced daily security measures designed to protect data integrity and connected IT resources. The attack directly disrupted municipal operations, forcing the closure of telephone reception services at the town hall. Press service representatives confirmed that attackers encrypted municipal data and systems during the breach. Independent sources indicated data exfiltration likely occurred, aligning with ransomware attack patterns, though city officials explicitly stated no ransom demand had been received at the time of disclosure. This absence of immediate contact was consistent with typical ransomware operator tactics, where extortion demands usually follow initial compromise through delayed communication channels like email or dedicated web interfaces.
Technical teams identified the attack's initial vector but had not disclosed it publicly by November 4. Social media comments referenced unusual messages originating from the city's Childhood Department, prompting municipal Twitter accounts to clarify these communications bypassed standard review processes due to COVID-19 confinement-related workflow disruptions, explicitly denying any connection to the cyberattack. Cybersecurity investigators reported potential traces of Emotet malware within municipal systems, though TG Soft's haveibeenEmotet service lacked corroborating evidence in its datasets at the time of reporting. The city maintained operational continuity for critical services while forensic analysis continued to determine full attack scope and data compromise extent. Recovery efforts focused on restoring encrypted systems and evaluating potential data exposure risks to citizens and municipal operations.