Cyber Incident Victim: City of Frankfurt
Date:
Dec 2019
Location:
Germany
Summary
The City of Frankfurt shut down its entire IT network after an employee opened a malicious email attachment that delivered Emotet malware, aiming to prevent ransomware deployment and further compromise. This preemptive action disrupted all municipal IT services, including public transportation ticketing and the city website, mirroring responses by other German entities like Bad Homburg and multiple universities facing similar Emotet infections. Germany's cybersecurity agency BSI advised such shutdowns to mitigate risks, as Emotet operators aggressively targeted German organizations through localized phishing campaigns impersonating government agencies. While Frankfurt avoided ransomware, a nearby university previously infected by Emotet suffered Ryuk ransomware deployment, forcing password resets for 38,000 users amid operational paralysis.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The City of Frankfurt shut down its entire IT network on December 18, 2019, following an Emotet malware infection discovered earlier that day. This decisive action was taken to prevent the Emotet infection from serving as an entry point for subsequent ransomware attacks, particularly Ryuk ransomware which had already impacted other German institutions. The infection vector traced back to a city employee opening a malicious email attachment, consistent with an ongoing Emotet campaign impersonating German government agencies that Germany's Federal Office for Information Security (BSI) had warned about on the same day. Frankfurt's network shutdown caused immediate disruptions to all municipal IT services, including the city's official website and public transportation ticketing systems. The city acted alongside Bad Homburg, another municipality that reported an Emotet infection on December 18 and similarly disconnected its networks. These incidents marked the third and fourth German entities forced into network shutdowns within ten days due to Emotet threats, following Justus Liebig University (JLU) in Gießen on December 8 and the Catholic University in Freiburg on December 17.
The JLU infection represented the earliest and most severe case, as Emotet operators successfully deployed Ryuk ransomware before containment measures could be implemented. This required the university to reset credentials for all 38,000 students and staff members, creating significant operational disruptions with long queues for password resets. BSI cybersecurity experts played a critical role in advising affected organizations to initiate preemptive network shutdowns, recognizing Emotet's established pattern of providing access to ransomware groups. Security researchers noted the Emotet operation had intensified targeting of German entities through localized phishing campaigns, including German-language email templates using current events like environmental activist Greta Thunberg as lures. While Frankfurt and Bad Homburg avoided ransomware deployment through immediate network isolation, the widespread infections demonstrated Emotet's strategic focus on German targets through tailored social engineering attacks. The coordinated response across academic and municipal institutions highlighted the elevated risk assessment for Emotet infections given their role as potential ransomware staging grounds.