Mallorca’s Calvià City struggles to recover after €10M ransom attack


The Calvià City Council, which has refused to pay its attackers a €10 million ransom demand, says it's hoping to achieve a "prompt recovery of systems" after most city services were knocked offline over the weekend.

Calvià City, located in the Mediterranean hotspot of Mallorca, Spain, was hit with the ransomware attack on Saturday, January 13th.

The City Council posted an update on its website Thursday with details about the forensics investigation and its “recovery process roadmap.”

ADVERTISEMENT

The Council stated that 90% of the city’s ​​”tax management and collection” should be restored by next Monday, January 29th, followed by the gradual recovery of other systems.

The city had suspended all administrative deadlines until January 31st.

A post on X linking to the January 17th update shows the City Council working in “collaboration with the National Cryptological Center Computer Emergency Response Team (CCN-CERT).

The CCN is said to have found “examples of the harmful code (malware)," which is now “being analyzed by teams of reverse engineering specialists,” considered "crucial" to accurately characterize the threat.

Ryan McConechy, CTO of Barrier Networks, described the attack as “a major incident” affecting services in Mallorca and said that only postponing deadlines until the end of January might be a bit ambitious of the Council

“It all depends on the scale of the attack, the security measures the Council has in place to contain the incident, and the recovery plans it already has laid out,” McConechy added.

“In the past, we’ve seen ransomware attacks take down organizations for months while IT teams work to restore service and data,” he said.

ADVERTISEMENT

The Council said it is still trying to determine what and if any sensitive information was exfiltrated by the ransomware operators while making sure the hackers did not leave a backdoor in the city’s networks to carry out future attacks.

Attackers demand 10 million euros

Meantime, the unidentified ransom gang attempted to extort the Council of 10,000,000 euros in ransom, roughly the equivalent of 11 million US dollars.

The sum is quite a large ransom demand for a historic city with a population of just about 50,000 – although it is Mallorca’s second-largest municipality and a popular tourist destination on the Spanish island.

Calvià’s Mayor, Juan Antonio Amengual, publicly announced earlier this week that the Council would not pay the demand.

“We work with experts and other institutions to stop the cyberattack. The City Council does not stop, it continues to function a little slower, but moving,” Amengual said in a video statement posted on X.

McConechy points out that it is a positive sign the Mayor has committed "not to do any business with the perpetrators."

“But given they are asking for €10 million, this could indicate they have walked away with a lot of sensitive data or locked down key systems, which could prove detrimental to the council,” he explained.

As part of the update, the Council also said it has “accelerated the arrival of more than 150 state-of-the-art computer equipment that will be installed over the coming weeks” in an effort to beef up the "cybersecurity of the Calvianer town hall.”

ADVERTISEMENT

McConechy said the key takeaway here is how major ransomware is today, and the need for businesses to prioritize their defenses.

The CTO stressed the need for all businesses to be using “strong, unique passwords, implementing MFA and Zero Trust principles, using Privileged Access Management (PAM) to protect key accounts, deploying layered security to prevent lateral movement, and training employees regularly on phishing and cybercrime.”