RansomHub Ransomware Attack on Timișoara City Hall

On August 24, 2024, the public institutions of Timișoara, including the City Hall, City Fiscal Department (DFMT), and Local Police, were targeted by a ransomware attack orchestrated by the cybercriminal group RansomHub. The National Cyber Security Directorate (DNSC) was alerted to the incident on August 25, 2024. The attackers deployed malicious ransomware software to encrypt data on several servers and workstations, effectively disrupting essential services.

Victim Profile: Timișoara City Hall

The Primăria Municipiului Timișoara, or Timișoara City Hall, serves as the local administrative authority for the municipality of Timișoara, Romania. It is responsible for governance, public service delivery, urban planning, and community engagement. The City Hall is organized into various departments, including the Direcția de Evidență a Persoanelor, Instituția Arhitectului Șef, Direcția Generală de Investiții și Mentenanță, Direcția Relații Comunitare, and Serviciul Managementul Deseurilor și Salubrizare. These departments work collaboratively to implement policies, manage public services, and respond to community needs.

Timișoara is a significant urban center in Romania, serving as the capital of Timiș County with a population of approximately 250,849 as of the 2021 census. The city is recognized for its historical significance, multicultural environment, and vibrant cultural scene. Timișoara was designated as a European Capital of Culture for 2023, further enhancing its profile on the international stage.

Attack Overview

The ransomware attack disrupted several essential services provided by the City Hall. The DNSC specialists are actively collaborating with the IT teams of the affected institutions to mitigate the impact, investigate the incident, and restore services. As of the latest update, all online services of the Timișoara City Hall are operational, including the Single Portal, town planning certificates, online appointments for the Population Record, notifications, and participatory budgeting. However, the Fiscal Directorate has temporarily suspended the collection of local fees and taxes online or via card payments at the counter. Payments can still be made in cash at the DFMT counters and in room 12 of the City Hall. The Local Police have also suspended online notifications, which are now being handled via phone at the dispatch office.

RansomHub: A Formidable Ransomware Group

RansomHub, a Ransomware-as-a-Service (RaaS) group, first appeared in February 2024. It quickly carved a place in the ransomware landscape by adopting a highly adaptable and aggressive affiliate model. The group is known for its speed and efficiency, with ransomware optimized to encrypt large datasets quickly while targeting a wide range of cross-platform systems. RansomHub affiliates primarily use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access. The group has also leveraged zero-day vulnerabilities.

RansomHub distinguishes itself with several unique traits, including intermittent encryption, Curve 25519 elliptic curve encryption, and a modular architecture that allows affiliates to update ransomware strains quickly to avoid detection. The group's operations surged in August 2024, listing over 210 victims on its leak site. RansomHub's Tactics, Techniques, and Procedures (TTPs) reflect a high level of operational sophistication, making it a formidable threat to organizations worldwide.

• Primăria Municipiului Timișoara
• Timișoara - Wikipedia
• National Cyber Security Directorate (DNSC)
• Primăria Timișoara - About
• Primăria Timișoara - Services