The Town of Villafranca d’Asti, a small Italian municipality in northern Italy that has a total population of just over three thousand people, has suffered a ransomware attack during the weekend. The actors are of the Avaddon gang, who are already leaking sensitive documents on their dark web portal.
As the crooks declared, the officials of the Comune di Villafranca d’Asti will be given 240 hours to communicate and cooperate with them. If they fail to do that, Avaddon promises DDoS on the municipality’s website and publishes all the documents they're holding.
The documents that the actors claim to be holding include financial documents, agreements, contracts, banking documents, payment invoices, applications, permits, ID cards, medical records, personal documents, and many more. The sample documents and screenshots that have been leaked appear to be authentic, and many of the things posted on Avaddon’s portal is quite recent, so the compromise is fresh, no doubt.
Admittedly, seeing ransomware groups attacking small municipalities is strange and somewhat unexpected. One may rightfully wonder why crooks focus on these small communities instead of larger cities or companies. This is actually a trend that first appeared two years ago and is still ongoing, so here's why.
Ransomware actors are attacking smaller towns because, first, they’re poorly secured against these menaces, and so compromising them is fairly easy. Secondly, these entities may be small, but they still hold and manage significant amounts of money, while they also enjoy the support of the state, and so they have potential access to notable financial resources. Thirdly, public services cannot stay offline for long, so they have a strong incentive to negotiate with the actors. It is estimated that one in five municipalities are paying the ransom, which is a very satisfactory rate for the threat actors.
David Carmiel, CTO at KELA tells us:
We've seen Avaddon specifically attacking municipalities in Portugal, Italy, Brazil, France, and Czech Republic over the past couple of months. Avaddon has released the municipalities' sensitive data, indicating that the majority of them have not been paying the ransom demanded. However, in one specific case the municipality's data was published and later deleted, which could indicate that they paid. Additionally, we identified that Avaddon posed threats of DDoS attacks on three of the listings on their blog. We are closely monitoring this to understand why it could be that they keep targeting municipalities, it could very likely be that these are just opportunistic attacks as we have seen some other ransomware gangs sporadically attacking municipalities globally.
In the case of Villafranca d’Asti, and all European cities for that matter, we also have the GDPR factor and the trouble that arises from the violation of the regulation. The documents that concern PII of employees and citizens should have been adequately protected against data breaches and leaks, but they weren’t.
We have reached out to the municipality to ask about the incident and what they’re planning to do, and we will update this piece with their comment once we hear back from them.