Cyber Incident Victim: Unione Reno Galliera
Date:
Sep 2021
Location:
Italy
Summary
A ransomware attack attributed to the Sprite Spider cyber gang using RansomExx malware compromised Unione Reno Galliera, a municipal union serving eight Bologna-area communities. The attackers exfiltrated approximately 60GB of data, subsequently publishing it on their leak site after the organization reportedly declined to pay a ransom. Impacted services included municipal police operations, civil protection, IT infrastructure, personnel management, and urban planning systems. The incident reflects RansomExx's pattern of opportunistic targeting of Italian public sector entities, with stolen data comprising administrative documents and operational records from shared municipal systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ransomware group RansomExx, operated by the cybercriminal gang Sprite Spider, executed an attack against Unione Reno Galliera, an administrative union of eight municipalities in the Bologna metropolitan area. This incident followed a pattern of opportunistic targeting of Italian public sector entities, mirroring the group’s earlier high-profile attack on the Lazio region. The affected municipalities included Argelato, Bentivoglio, Castello d’Argile, Castel Maggiore, Galliera, Pieve di Cento, San Giorgio di Piano, and San Pietro in Casale. Attackers compromised the union’s servers, exfiltrating approximately 58.59 GB of data. On September 26, 2021, RansomExx published the stolen data on its darknet leak site (DLS), distributing it through 120 files, each 500 MB in size. The union managed critical services for member municipalities, including municipal police operations, civil protection, business support services, IT infrastructure, personnel management, and urban planning. No evidence indicated the union paid a ransom, leading to the data’s public release.
The breach exposed operational and administrative data tied to the union’s centralized services, though the specific sensitivity of the leaked documents remained unconfirmed at the time of reporting. The incident disrupted services managed by the union for its member municipalities, though the article did not specify downtime duration or recovery steps. RansomExx’s history of maintaining and refining its ransomware tools suggested a deliberate focus on Italian public sector targets during this period. The data publication represented both operational disruption and potential reputational risks for the municipalities, given the exposure of internal administrative information. Cybersecurity analysts monitoring darknet leak sites identified the data dump, confirming RansomExx’s involvement through their established communication channels. The union’s reliance on centralized IT systems for cross-municipal services likely amplified the attack’s impact across multiple local governments.