Carinthia state government BlackCat ransomware attack
The BlackCat/ALPHV ransomware gang encrypted around 3,000 computers of Austria's Carinthia state government and demanded $5 million, halting passport issuance, traffic-fine processing and COVID-19 contact tracing for weeks. The state refused to pay and rebuilt from backups.
- Victim
- State of Carinthia (Land Kärnten)
On 24 May 2022, the government of Carinthia (German: Land Kärnten), one of Austria's nine federal states, was struck by the BlackCat/ALPHV ransomware gang. The attack froze a large share of the state administration's computing estate and disrupted everyday public services for residents — and became a high-profile test of the increasingly common policy of refusing to pay.
What happened
The BlackCat operators penetrated the Carinthian government network and deployed their ransomware, encrypting roughly 3,000 workstations. The state's website and email systems went offline, and core citizen-facing services seized up. Among the functions disrupted were passport and travel-document issuance, processing of traffic-fine payments, and the state's COVID-19 testing and contact-tracing operations — at a time when those services were still in heavy use.
The attackers demanded a $5 million ransom, payable in Bitcoin, in exchange for a decryption tool. As is standard for BlackCat — a double-extortion operation — the gang implied it could also leak data, though state officials said there was no evidence that any data had actually been exfiltrated from Carinthia's systems.
Impact
- Approximately 3,000 computers rendered unusable across the state administration.
- Public services including passports, traffic-fine processing and pandemic contact tracing were interrupted, forcing manual workarounds.
- The state's email and web presence were down, hampering both internal operations and communication with citizens.
- Recovery stretched over weeks as IT teams rebuilt systems from backups.
Response and attribution
State spokesperson Gerd Kurath stated plainly that Carinthia would not meet the attackers' demands and would instead restore its systems from backups. No ransom was paid.
BlackCat/ALPHV emerged in late 2021 and was widely assessed to be a rebrand of the DarkSide/BlackMatter operation — the same lineage behind the 2021 Colonial Pipeline attack. Written in Rust and run as a ransomware-as-a-service, BlackCat became one of the most prolific gangs of 2022, with the FBI warning it had compromised dozens of organisations worldwide. The operation was disrupted by an FBI-led action in December 2023.
Why it matters
The Carinthia attack is a model case for public-sector ransomware resilience. By holding firm on a no-pay stance and relying on backups, the state avoided funding a criminal enterprise — but the prolonged disruption to passports, fines and health services showed the real cost borne by citizens when a regional government's IT is encrypted. It reinforced why public administrations across Europe have prioritised offline backups, network segmentation and tested recovery plans as the practical answer to ransomware demands.
Timeline
The BlackCat/ALPHV ransomware gang breaches the Carinthia state government's network and begins encrypting systems.
Around 3,000 workstations are locked; the state's website and email go offline and citizen services are disrupted.
Attackers demand a $5 million ransom in Bitcoin for a decryption tool.
State spokesperson Gerd Kurath publicly states Carinthia will not meet the attackers' demands and will restore from backups.
Carinthia gradually rebuilds affected systems and restores disrupted public services without paying the ransom.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/
- bankinfosecurity.comhttps://www.bankinfosecurity.com/blackcat-ransom-demand-5m-from-austrian-state-carinthia-a-19171
- acronis.comhttps://www.acronis.com/en-us/cyber-protection-center/posts/austrian-state-of-carinthia-hit-by-blackcat-ransomware/