Cyber Incident Victim: Ville de Marseille
Date:
Mar 2020
Location:
France
Summary
A massive ransomware attack targeted the city of Marseille and its metropolis, disrupting operations ahead of local elections. The attack encrypted systems, bypassing existing defenses and impacting approximately 300 machines, forcing manual processing of proxy signing lists while authorities confirmed elections would proceed unaffected. Technical teams worked to contain the malware's spread and diagnose compromised infrastructure, leveraging backup systems to recover data. National and local agencies, including cybersecurity and law enforcement units, collaborated on restoration efforts and investigation. The incident was described as unprecedented in scale, though no ransom payment details or specific malware family were disclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A massive cyber attack targeted the town hall of Marseille and the Aix-Marseille-Provence metropolis in mid-March 2020, coinciding with the global spread of COVID-19 and preceding the municipal elections scheduled for March 15 and 22. The incident, described as unprecedented in scale and strike force, involved ransomware that encrypted files and systems while demanding payment. Attackers successfully bypassed existing defensive measures implemented by the city. Approximately 300 machines across the metropolis and in Martigues (Bouches-du-Rhône) were crippled, including devices intended for generating proxy signing lists for the upcoming elections. This disruption necessitated manual processing of voting-related documents. Authorities confirmed the attack would not delay or cancel elections, with Martine Vassal, president of the metropolis and mayoral candidate, publicly affirming voting would proceed normally. The National Information Systems Security Agency (ANSSI) verified the attack's technical impact while investigators noted no electoral infrastructure was directly compromised beyond the proxy list systems.
Technical teams immediately worked to diagnose compromised systems, contain the ransomware's propagation, and limit operational damage. Local officials coordinated with national agencies including the National Police’s Cybercrime Unit, which launched an investigation into the incident. Recovery efforts leveraged backup systems to restore data, with Vassal expressing confidence these would mitigate long-term impacts. The city's press release detailed the ransomware's function but provided no specifics about the malware family or attack vector. No ransom demands or threat actors were publicly identified during the initial response phase. Operations restoration prioritized election-critical functions while broader system recovery continued. Vassal acknowledged the defenses' failure to prevent the attack despite daily security precautions, highlighting the incident's severity. Ongoing work focused on forensic analysis and full service restoration, with no further public updates on data recovery completeness or investigation outcomes at the time of reporting.