Palermo ransomware attack: Vice Society claims responsibility as city details recovery strategy

Photograph taken of an old building in Palermo, Italy, with the sun setting in the background over the hills
(Image credit: Getty Images)

The cyber attack on the Italian municipality of Palermo has been confirmed as a ransomware incident, with Vice Society claiming responsibility.

The incident appears to be an example of double extortion ransomware, given that Vice Society’s victim page indicates that a set of documents belongong to Palermo will be published at 13:15 (BST) on Sunday 12 June.

The nature of the stolen data has not been specified and Palermo has not confirmed any of its data has been exfiltrated, though it has confirmed a cyber attack took place and said data theft was a possibility.

The city issued a press release Thursday afternoon, confirming the attack to be ransomware and detailing the processes the municipality has taken to contain the incident.

Digitally translated from Italian to English, the press release confirmed that the attack affected the “entire telematic infrastructure” of Palermo’s data centre, “including all the workstations distributed at the offices of the municipal administration of Palermo connected to it”, leading to a total interruption of services.

Palermo is attempting to restore its systems from backups, the press release indicated, though some of its backups were corrupted in the attack. It said its Veeam server was unavailable, as was its VMware infrastructure. It is now relying on other backups from its Arcserve recovery solution and the remaining accessible data from its Oracle database and NetApp storage.

Palermo’s recovery process will involve preparing a private network, closed off only to a small number of verified workstations. It will then attempt to re-install basic infrastructure and then attempt to restore workstations before re-adding them to the network.

The municipality also confirmed that it notified the relevant data protection authorities within three days of the attack, per GDPR’s legal requirements.

Screenshot of Vice Society ransomware gang's blog claiming the hack on Palermo

It made no indication that it was prepared to pay the ransom demands, a currently unknown sum, from Vice Society.

A number of the city’s websites are unreachable, at the time of writing, including the city’s official website and SISPI, the IT service management system of Palermo.


Securing endpoints amid new threats

Ensuring employees have the flexibility and security to work remotely


“While we are still unsure of the full impact of the hack, even if the municipality has been successful in taking systems offline to prevent the spread of ransomware, it has still resulted in real-life issues for both the authorities and residents of the community,” said Ian McShane, VP of strategy at Arctic Wolf, speaking to IT Pro. “With municipal police services taken down and residents forced to rely on fax machines to communicate with city officials.

“Unfortunately, public sector organisations are often in a worse position than some private companies when it comes to cyber security. Often with smaller budgets than large multinational corporations, it can be difficult for them to attract talent by offering competitive salaries. This results in teams being overstretched and overwhelmed with issues.”

Palermo confirmed the attack hours after the initial breach on 2 June and many of the municipality’s IT systems were shut down and isolated from its network as a result, Paolo Camassa, deputy mayor of Palermo, said via Facebook.

“Activities are underway to evaluate the nature and consequences of the accident. Services are currently unavailable and there may be any inconvenience in the next few days for which we apologise in advance,” his statement read, translated digitally.

“The SISPI has already set up a technical team to manage the event and the necessary measures have been put in place to remedy possible violations of personal data and communication is being provided to the competent authorities.”

Italy under siege

When the cyber attack was first discovered, the nature of it was unclear. Initial speculation from outsiders was that it was conducted by the pro-Russia Killnet hacking collective which ‘declared war’ on Italy, and nine other countries, mere days before the ransomware attack.

Killnet mounted an offensive against Italy after the country’s Computer Security Incident Response Team (CSIRT) thwarted the hackers’ attempted attack on the Eurovision Song Contest’s voting systems – an unsuccessful bid to stop Ukraine from winning.

The threat of distributed denial of service (DDoS) attacks launched by Killnet on Italian organisations prompted the country’s CSIRT to issue a warning to all public and private sector organisations of impending attacks.

Those thought to be at particular risk were government departments, utility companies, and any business with a brand identity linked to Italy.

A change in tack from ransomware gangs?

Since the infamous ransomware attack on Colonial Pipeline that brought the east coast of the US to its knees last year, ransomware gangs were thought to be adjusting their targeting models to avoid atatcking the largest organisations and drawing serious attention from law enforcement.

The thnking was re-iterated earlier this year in a joint advisory published by the UK’s National Cyber Security Centre (NCSC) and the US’ Federal Bureau of Investigation (FBI).

The Colonial Pipeline incident prompted the Biden administration to start treating ransomware attacks in much the same way as terrorist attacks.

There have not yet been any ransomware cases that have led to the prosecution of anyone under terrorism laws, but the threat was thought to be enough to stop attacks on targets as significant and large as the likes of Palermo and also recently, Costa Rica.

The attack on Palermo, following the double ransomware attack on Costa Rica, raises questions about the motives of ransomware actors and whether they are once again attempting to target larger organisations, and in recent cases entire countries.

Vice Society’s attack could simply be an extension of its well-documented modus operandi – to hack organisations after exploiting known, unpatched security vulnerabilities.

“While there hasn’t been a lot of information released about the attack to date – only that all key systems have been taken down while the incident response activities are ongoing – the gang are known for exploiting recognised vulnerabilities within systems, but this is quite common among ransomware gangs,” said Cliff Martin, head of cyber incident response at GRC International Group, speaking to IT Pro.

“There are many ransomware gangs around so I wouldn’t suggest that all gangs have the same approach when it comes to who they target and how they achieve their objectives,” he added. “It is likely that the gang came across the vulnerable systems and took advantage of the opportunity. Sites like Shodan index internet-facing systems and provide attackers with information they can use to target certain systems/organisations.”

Cisco Talos security researchers noted last year that Vice Society was using the vulnerabilities in Windows’ print spooler service, known as the PrintNightmare flaw, in ransomware operations.

The same researchers also noted that it has a history of targeting public institutions, namely in the education sector.

Vice Society’s blog currently shows the De Montfort School and St Paul’s Catholic College as two of its most recent victims, both in the education sector and based in Worcestershire and Surrey respectively.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.