Cyber Incident Victim: City of Florence

The City of Florence experienced a ransomware attack beginning on or around May 6, 2020, when threat actors compromised a Windows 10 system belonging to the city's manager of information systems. Attackers maintained persistent access for over a month, conducting reconnaissance within municipal networks. On May 26, cybersecurity firm Hold Security identified the breach through dark web monitoring and alerted journalist Brian Krebs, who subsequently notified Florence officials. The intrusion escalated on June 5 when attackers deployed DoppelPaymer ransomware across city systems and demanded payment of $300,000 in Bitcoin. Forensic analysis linked the initial compromise to credentials associated with the IT leadership account visible in the city's employee directory.

City operations faced significant disruption following the ransomware deployment, prompting an emergency council meeting where officials unanimously approved paying the ransom through municipal insurance funds. Mayor Steve Holt justified the decision as necessary to protect employee and resident data while restoring critical services, despite uncertainty about whether attackers exfiltrated sensitive information. The city engaged with the DoppelPaymer operators to request proof of data deletion prior to payment, relying on advisories that this ransomware variant historically honored such agreements. Recovery efforts focused on system restoration and forensic analysis to determine the full scope of compromised infrastructure, with officials publicly confirming the ransomware strain but not disclosing specific operational impacts beyond data accessibility issues. The incident revealed a nearly five-week dwell time between initial network penetration and ransomware detonation.