Seville’s City Council faced a major cyber incident attributed to one of the most prominent hacker groups in the world. In these incidents, it is common for attackers to request information or ransom, and the city’s response was clear: negotiations with cybercriminals would not occur, and recovery efforts would proceed under established security protocols.
The attackers, identified with the LockBit ransomware operation, reportedly demanded $5 million in encrypted communications, later reducing the amount to $1.5 million. LockBit has been linked to several high-profile disruptions, including a recent attack on the Royal Mail. It is described as a fast-acting ransomware strain capable of encrypting large data sets rapidly, a factor that positions it as a major threat in today’s cyber landscape.
The municipality confirmed that the issue has been addressed with the assistance of CCN-CERT, the National Cryptology Center’s computer security counterpart, and law enforcement authorities. This collaboration reflects the coordinated effort between municipal teams, national agencies, and private sector partners to contain the breach and restore services.
According to official updates, City Council technicians and external specialists have been working since Tuesday to resume normal operations as quickly as possible. All IT services were disrupted on Monday following the cyberattack and remain suspended until the investigation and remediation are complete.
Juan Bueno, the Finance and Digital Transformation Delegate for Seville, stated that the City Council would not pay any ransom. He noted that the municipal team is working with CCN-CERT and Telefónica to fight the attack. Authorities have informed the National Data Protection Center and have consulted with the National Police and Civil Guard, with no complaints filed to date, awaiting a full report and documentation from the investigation.
Officials indicated they believe they have a high level of confidence in the source of the intrusion and the compromised terminal, though law enforcement emphasized prudence. Approximately 4,000 municipal computer terminals have been disconnected from the network, and electronic transactions are paused while systems are secured. Residents may notice service delays, particularly in tax processing, while frontline services such as the Local Police and Fire Brigade continue to operate, albeit with limited use of mobile devices for handling inquiries.
Consistency from city representatives insists that there is no proof that citizen data was exfiltrated or that attackers gained ongoing access, even after LockBit made its cryptic ransom demand. The mayor, José Luis Sanz, reiterated that rapid restoration will be pursued, but only under safe, verifiable conditions. The city’s top management has urged a careful, measured response, prioritizing the integrity of systems and data before resuming full operations, and not yielding to any coercive demands.
LockBit’s modus operandi centers on intercepting data, freezing essential systems, and coercing payment in exchange for restoring access. In addition to ransom demands, the group has been associated with the threat to publicly release stolen information if the victim declines to pay, a tactic intended to maximize pressure on the targeted organization. This attack underscores the persistent risk posed by ransomware groups to municipal and public-sector networks and the critical importance of robust incident response plans and proactive defense measures. (Source: CCN-CERT, with coordination from national law enforcement and security partners)