Cyber Incident Victim: Comune di Taggia
Date:
Mar 2023
Location:
Italy
Summary
The Comune di Taggia suffered a ransomware attack by the RansomHouse group, which exfiltrated 710GB of data and partially published it online while threatening further disclosure unless contacted. Attackers initially demanded $300,000 for file restitution, but the municipality refused payment due to operational backups mitigating permanent data loss. The incident caused significant disruption to administrative functions by compromising employee workstations, though core servers remained unaffected. Law enforcement investigations were initiated following the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the night of March 10, 2023, unidentified cybercriminals executed a ransomware attack against the municipal IT infrastructure of Comune di Taggia, a Ligurian town in Italy's Imperia province. The attackers compromised computers left powered on by employees, encrypting local data while leaving the primary municipal server unaffected. A ransom demand of $300,000 was issued for file decryption, though the administration refused payment based on their assessment that the data theft was limited in scope. Technical personnel partially restored operations by March 15 using backup servers, preventing permanent data loss. The incident significantly disrupted daily administrative operations, slowing municipal functions despite the availability of backups. Local authorities engaged the Postal Police to investigate the attack's origin and perpetrators, with plans to formally file a criminal complaint. Initial public statements from Mayor Mario Conio confirmed the malware infection but downplayed its severity due to the intact primary server and functional backups.
On March 24, 2023, the RansomHouse cybercrime group publicly claimed responsibility for the attack via their dark web data leak site, revealing they had exfiltrated 710GB of sensitive data prior to encryption. The group accused the municipality's IT department of concealing the breach's full extent and threatened to publish confidential documents including project files unless contacted for negotiations. RansomHouse made a portion of the stolen data freely downloadable through their Tor-based platform, exposing it to any user with basic computer skills. This disclosure confirmed the attackers had successfully extracted information beyond the locally encrypted workstation data initially reported. The group's statement emphasized their prior access to municipal systems and criticized the administration's response strategy. Operational impacts persisted as municipal services remained partially impaired during forensic investigations. Authorities maintained their non-negotiation stance despite the data exposure threat, relying on law enforcement investigations rather than engaging with the threat actors. The breach exposed vulnerabilities in endpoint security practices, particularly regarding workstations left powered on overnight.