The City of Thessaloniki in Greece is Being Extorted by the ‘Grief’ Ransomware Group

Published on July 27, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

A few days ago, Greece’s Deputy Mayor of Business Planning and e-Government, George Avarlis, informed the public that the Municipality of Thessaloniki suffered a catastrophic cyber-attack which forced all public-facing services to an abrupt shutdown. The incident was clarified to be of a ransomware-type, the ransom demand was set to $20 million, but the actors weren’t named at the time. Now, with the help of KELA’s dark web scanners, we were able to find that it was ‘Grief,’ a fairly new group that launched its operations roughly two months ago.

The website, “thessaloniki.gr” is currently up and running, but the e-government services that should be available to one million citizens of Greece’s second-largest city are still offline. This indicates that the restoration process is still underway, but an estimate for the completion of the tedious process hasn’t been shared with the public. The people of Thessaloniki will possibly have to endure this discomfort for quite a few more days as paying the massive ransom is out of the question.

‘Grief’ has also published a 92MB zip file containing documents that were stolen during the cyber-attack, as well as some building drawings and old budget spreadsheets that appear to be public information anyway. We have taken a look at the sample that was published, and most of the documents in there appear to contain information that is publicly accessible or retrievable under conditions. Still, there are also a few private letters and financial reports that should constitute confidential information.

Leaked financial management audit report

In any case, this is a disruption to a large municipality in a European country and a stark reminder of why nobody can afford to ignore the constant threat of ransomware actors by maintaining a lax security stance.

Whether or not ‘Grief’ holds more information and keeps it private for reasons of furthering the extortion remains to be seen, but the particular group of actors isn’t of this type. When they first came out, they declared to have no interest in negotiating with victims, saying that they will publish everything they’ve got immediately if the compromised entity doesn’t meet their demands. Hence the name ‘Pay or Grief’.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: