December 16, 2019
A few days ago, Greece’s Deputy Mayor of Business Planning and e-Government, George Avarlis, informed the public that the Municipality of Thessaloniki suffered a catastrophic cyber-attack which forced all public-facing services to an abrupt shutdown. The incident was clarified to be of a ransomware-type, the ransom demand was set to $20 million, but the actors weren’t named at the time. Now, with the help of KELA’s dark web scanners, we were able to find that it was ‘Grief,’ a fairly new group that launched its operations roughly two months ago.
The website, “thessaloniki.gr” is currently up and running, but the e-government services that should be available to one million citizens of Greece’s second-largest city are still offline. This indicates that the restoration process is still underway, but an estimate for the completion of the tedious process hasn’t been shared with the public. The people of Thessaloniki will possibly have to endure this discomfort for quite a few more days as paying the massive ransom is out of the question.
‘Grief’ has also published a 92MB zip file containing documents that were stolen during the cyber-attack, as well as some building drawings and old budget spreadsheets that appear to be public information anyway. We have taken a look at the sample that was published, and most of the documents in there appear to contain information that is publicly accessible or retrievable under conditions. Still, there are also a few private letters and financial reports that should constitute confidential information.
In any case, this is a disruption to a large municipality in a European country and a stark reminder of why nobody can afford to ignore the constant threat of ransomware actors by maintaining a lax security stance.
Whether or not ‘Grief’ holds more information and keeps it private for reasons of furthering the extortion remains to be seen, but the particular group of actors isn’t of this type. When they first came out, they declared to have no interest in negotiating with victims, saying that they will publish everything they’ve got immediately if the compromised entity doesn’t meet their demands. Hence the name ‘Pay or Grief’.