Ayuntamiento de San Lorenzo de El Escorial Ransomware Attack

Incident Date:

May 31, 2024

World map

Overview

Title

Ayuntamiento de San Lorenzo de El Escorial Ransomware Attack

Victim

Ayuntamiento de San Lorenzo de El Escorial

Attacker

Lockbit3

Location

San Lorenzo de El Escorial, Spain

, Spain

First Reported

May 31, 2024

Ransomware Attack on Ayuntamiento de San Lorenzo de El Escorial

Victim Overview

The Ayuntamiento de San Lorenzo de El Escorial, a local government entity in San Lorenzo de El Escorial, Spain, operates within the Government sector. Employing between 2,001-5,000 people, the organization is known for its dedication to preserving the town's rich history and cultural heritage. It also actively promotes modernity and community engagement through various events and initiatives.

Attack Overview

On May 31, 2024, the Ayuntamiento de San Lorenzo de El Escorial fell victim to a ransomware attack executed by the LockBit ransomware group. This attack led to the theft of approximately 450GB of data, severely impacting the municipality's operations. While the specific data compromised has not been fully disclosed, the breach significantly disrupted the town's administrative functions.

Ransomware Group Profile

LockBit 3.0, also known as LockBit Black, is a Ransomware-as-a-Service (RaaS) group that represents an advanced evolution of the original LockBit group. Renowned for its sophisticated capabilities, LockBit 3.0 encrypts files, modifies filenames, changes desktop wallpapers, and drops ransom notes on victims' desktops. The ransomware's heavy obfuscation makes it particularly challenging for security researchers to analyze.

Company Vulnerabilities

The prominence of the Ayuntamiento de San Lorenzo de El Escorial in the Government sector, coupled with its medium-sized organizational structure, likely made it an appealing target for threat actors like the LockBit 3.0 ransomware group. The municipality's crucial role in providing municipal services and organizing community events increased its vulnerability to cyberattacks aimed at disrupting operations and compromising sensitive data.

Sources:

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.