Massive ransomware attack hinders services in 70 German municipalities

A ransomware attack this week has paralyzed local government services in multiple cities and districts in western Germany.

Early on Monday, an unknown hacker group encrypted the servers of the local municipal service provider Südwestfalen IT. To prevent the malware from spreading, the company restricted access to its infrastructure for over 70 municipalities, primarily in the western German state of North Rhine-Westphalia.

The attack left local government services “severely limited,” the company said in a statement posted on a temporary website, as its main site is inaccessible following the incident.

Nearly all town halls in the region were impacted by the hack.

Cyberangriff auf die @SuedwestfalenIT. Die Kreisverwaltungen unserer Gesellschafter #Hochsauerlandkreis, @KreisSoest, @Kreis_SiWi, @Kreis_Olpe und #MärkischerKreis und Rathäuser in #Südwestfalen sind betroffen. pic.twitter.com/QQjy1PXiXj

— TKG Südwestfalen mbH (@tkgswf) October 30, 2023

On the day of the attack, the administration of the German city Siegen canceled appointments with citizens since the majority of its IT systems were shut down. As of Tuesday, most of the administration's online services remained unavailable.

The websites of the city administrations of Wermelskirchen and Burscheid are also down on Wednesday.

"Due to the disruption, we have no access to all applications running via Südwestfalen IT," a Wermelskirchen spokeswoman told German media. This affected the city’s finances, residents, cemeteries, and registry offices.

The affected administrations that publicly discussed the attack said that, even though their online systems are down, they are still offering in-person services to citizens. Their internal and external communication, including email and phone services, are mostly nonfunctional.

German police and cybersecurity agencies are investigating the hack and working to restore services for city administrations.

“But we can't tell our customers anything specific, that puts a lot of stress on people,” a Burscheid spokesperson said.

The timing of the attack is particularly sensitive, according to German cybersecurity experts, as local governments typically perform financial transactions at the end of the month. Payments like salaries, social assistance, and transfers from the nursing care fund may be hindered by the attack, the experts said.

Germany's Federal Office for Information Security (BSI) told Recorded Future News that it is aware of the security incident and is in contact with the affected service provider. However, it cannot comment on further details as the investigation is still ongoing.

German prosecutors participating in the investigation told local media that they are currently working to determine the extent of the damage, which services were impacted, and who was responsible for the attack. They expect a "complex and lengthy investigation."