Vice Society ransomware claims attack on Italian city of Palermo

The Cathedral of Palermo

The Vice Society ransomware group has claimed responsibility for the recent cyber attack on the city of Palermo in Italy, which has caused a large-scale service outage.

The attack occurred last Friday, and all internet-relying services remain unavailable, impacting 1.3 million people and many tourists visiting the city.

The authorities admitted the severity of the incident on Monday and explained that all systems had to be taken offline to contain the damage, warning that the outages might last a few more days.

The shutdown of its network made the attack look suspiciously like a ransomware attack and not part of the DDoS attacks that recently hit the country.

Vice Society claims responsibility

Yesterday, Vice Society claimed they were behind the attack on Palermo by posting an entry on their dark web data leak site, threatening to publish all stolen documents by Sunday if a ransom is not paid.

Palermo victim added on Vice Society Tor site
Palermo victim added on Vice Society onion site

This means that the negotiations for the ransom payment haven’t reached a dead end yet, and Vice Society hopes that its threats to Palermo’s officials will prove effective.

Threatening the victim with the publication of data is standard practice for ransomware groups today, called the “double extortion” tactic, and can be a powerful way to extort victims.

Vice Society might hold the personally identifiable information of Palermo’s residents and the sensitive details of anyone who has used the municipality’s digital services.

It’s worth noting that the ransomware gang hasn’t posted any samples of stolen files, and as such, the claimed data exfiltration cannot be verified yet.

Known for exploiting vulnerabilities

Vice Society is known for breaching networks by exploiting known vulnerabilities on unpatched systems.

For example, in August 2021, Cisco Talos researchers observed the particular ransomware group deploying a DLL that exploited CVE-2021-1675 and CVE-2021-34527, aka “PrintNightmare” flaws.

While it’s impossible to tell if Palermo’s computer systems had a security hole that could be exploited for initial access, it wouldn’t be a far-fetched scenario for public-facing state networks.

The officials at Palermo have not disclosed any details of the attack, even though almost a week has passed since they switched off the entire IT system that runs all of city’s services.

Bleeping Computer attempted to source more information from SISPI, the IT service provider that currently handles the incident response and system restoration, but we have not received a response yet.