A cyber attack with ransomware took place on the IT service provider Südwestfalen-IT on October 30.10.2023, 72. Among other things, the provider supplies 2 municipalities with IT services, which have been completely paralyzed for almost two weeks. Now there are initial findings – although not particularly good ones.
The IT provider SIT – Südwestfalen-IT informs all customers and communities about the progress of the cyber attack with ransomware via an emergency website. Among those affected are the 72 member municipalities from the association area in South Westphalia, including the districts of Hochsauerlandkreis, Märkischer Kreis, Olpe, Siegen-Wittgenstein, Soest and several municipalities in the Rheinisch-Bergisches Kreis.
In order to prevent the malware from spreading within the network, the data center's connections to and from all municipalities in the association were cut. As a result, administrations are currently unable to access the specialized procedures and infrastructure provided by the SIT and are severely limited in their services to citizens.
Akira Ransomware is said to be the attacker
The Spiegel is currently reportingthat the Siegener Zeitung has a confidential letter from the Interior Ministry to the state parliament. The APT group Akira is said to be named as the attacker. The Akira Group has only been in existence since March 2023 active, but attacks many companies. However, there is no reference to the attack on the Akira Group's leak page, which the groups usually like to brag about.
The ransomware used is a sophisticated malware that aims to encrypt the files on a victim's system, delete shadow copies, and provide instructions for paying the ransom and data recovery. It uses encryption algorithms, exclusion criteria and a communication system based on TOR to carry out malicious operations.
First forensic analyses
According to its own information, Südwestfalen-IT (SIT) has completed the first phase of forensic analyzes of the affected systems and is now using the knowledge gained to examine all customer systems in a systematic process. In addition, Südwestfalen-IT will, together with the members of the expanded crisis team, finalize a prioritization of the specialist procedures to be restored by the end of this week. She then wants to begin the gradual restoration of the systems.
First workarounds not until next week
Südwestfalen-IT is confident that the first workarounds can be introduced next week so that citizens can at least temporarily use some public services again. However, the service provider is already expecting much longer downtimes.
The communities help themselves as best they can. Because the entire IT system is paralyzed, including the land trip homepages. Here is a short list of information sources available in each district. New telephone numbers can also be found there.
- Hochsauerlandkreis – informed via Facebook
- Märkischer Kreis - informed via Facebook
- Siegen-Wittgenstein/Olpe – informed via emergency homepage kreissiwi.de
- Soest – informed via Facebook
- Lüdenscheid – informed via emergency homepage www.luedenscheid.de
Matching articles on the topic
More at Sophos.com