Cyber Incident Victim: City of Knoxville
Date:
Jun 2020
Location:
United States of America
Summary
The City of Knoxville experienced a ransomware attack that encrypted its network, prompting an immediate shutdown of servers, internet connections, and computers to contain the incident. Critical emergency services like fire and police operations remained functional, though personnel lost network access, while City Court sessions were canceled and online services disrupted. Officials confirmed no personal or financial data was compromised, as sensitive information was not stored on affected systems. The incident was reported to federal and state law enforcement agencies, with an ongoing investigation into the unidentified attackers who demanded an undisclosed ransom. Municipal offices maintained physical operations despite technical disruptions during recovery efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 11, 2020, the City of Knoxville, Tennessee, experienced a ransomware attack that encrypted computers across its network overnight. The incident was first detected around 4:30 AM by employees of the Knoxville Fire Department, prompting immediate action from city officials. Chief Operations Officer David Brace confirmed the ransomware encryption and directed the implementation of emergency protocols. Information Systems personnel shut down all servers, internet connections, and PCs to contain the attack, issuing a citywide directive instructing employees not to access the network or applications. The attack forced the City of Knoxville's official website offline, though neighboring Knox County government systems remained unaffected. City Court sessions were canceled due to the network shutdown, with plans to reschedule hearings after system restoration. While emergency services including Fire and Police Departments maintained operational capabilities, personnel lost access to city network resources, as confirmed by spokesmen D.J. Corcoran and Scott Erland.
The city engaged law enforcement agencies including the Federal Bureau of Investigation and Tennessee Bureau of Investigation to investigate the attack. Officials confirmed no personal or credit card information was compromised, noting the city didn't store such data—a factor that reduced potential risks for residents who had made online reservations for city facilities. Municipal offices and services remained open to the public despite network disruptions, though visitors experienced operational inconveniences. Attackers demanded ransom, though city leadership declined to disclose the specific amount. This marked the second cybersecurity incident affecting Knox County government systems within two years, following a May 2018 distributed denial-of-service attack during local elections that temporarily knocked servers offline without data theft. Knoxville officials maintained public communications through alternative channels, including a Twitter statement from the County Mayor emphasizing the pervasive nature of cyber threats to governments. System restoration timelines and identification of the responsible ransomware group remained undetermined at the time of reporting.