Cyber Incident Victim: Communauté de Communes du Bassin de Pont-à-Mousson
Date:
Apr 2024
Location:
France
Summary
The local government community of Bassin de Pont-à-Mousson experienced a ransomware attack disrupting its IT systems, forcing services to operate manually while public facilities remained accessible. Attackers demanded Bitcoin payment, but the organization refused due to legal constraints prohibiting unauthorized ransom payments without treasury approval. Officials confirmed no personal data was compromised, attributing containment to functional firewalls that prevented file exfiltration. Servers were progressively restored after crisis protocols were activated, including staff alerts to avoid infected devices. A police report was filed, and the incident prompted enhanced security measures, firewall upgrades, and increased employee awareness regarding phishing risks and backup practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 4, 2024, at 23:43, the computer network of the Communauté de Communes du Bassin de Pont-à-Mousson (CCBPAM) suffered a cyberattack, rendering all systems inoperable. By 5:00 AM the same morning, the attack was confirmed as ransomware when the IT hosting provider alerted CCBPAM’s department head, who instructed arriving staff not to power on their computers to prevent further compromise. Attackers infiltrated the system directly—bypassing email vectors—and deposited a text file in one server demanding Bitcoin ransom payments negotiated through a specified exchange platform. CCBPAM President Henry Lemoine immediately ruled out payment, citing legal prohibitions against unauthorized transactions by local governments without Treasury approval and formal deliberation. A crisis unit was activated to manage the incident, during which firewalls blocked data exfiltration and no files were extracted according to Lemoine. Servers were progressively restored, allowing the crisis unit to deactivate by 19:00 that evening. The attack forced all community services—including waste disposal sites, swimming pools, libraries, music conservatories, and childcare facilities—to operate manually, though physical locations remained open.
CCBPAM filed a police report on April 5 at the local station, acknowledging limited investigative prospects without coordinated complaints against globally dispersed attackers. Lemoine asserted no personal data was breached, aiming to reassure users of municipal services. The incident prompted security enhancements, particularly firewall upgrades, and highlighted procedural gaps, leading to mandates for more frequent data backups. Staff received renewed training on threat recognition, emphasizing that the attack’s direct system penetration contrasted with typical email-based compromises. Lemoine contextualized the attack as part of a broader surge in pre-Olympic cybercriminal activity targeting potential revenue sources, though no explicit link to the Games was substantiated. Operational disruptions were contained within 24 hours, with no reported financial losses or data theft beyond the initial encryption. The event served as an unplanned rehearsal for incident response protocols, reinforcing vigilance among technical personnel.