Ransomware Attack Disrupts Multiple London Councils’ IT Systems in 2024
Executive Summary
In June 2024, the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council experienced operational disruption following a ransomware cyberattack on their shared IT provider, Westminster City Council Integrated IT (WCCIT). Attackers infiltrated municipal digital infrastructure, encrypted data, and impacted critical online services such as resident portals and payment processing. Public-facing platforms were taken offline as a precaution, and council operations shifted to manual workarounds, affecting both internal processes and citizen-facing services. The incident underscores the vulnerabilities within local government supply chains and highlights the ramifications of targeting shared service models in the public sector.
This attack is a sobering reminder of the increasing incidence of ransomware campaigns targeting public entities in the UK and globally. With local authorities managing sensitive citizen data and critical services, the urgency for robust cybersecurity controls and incident response processes has never been more acute.
Why This Matters Now
Municipal governments are increasingly being targeted by ransomware gangs, which can paralyze vital civic services and jeopardize citizen data. As local authorities rely more on shared or outsourced IT infrastructure, one breach can have cascading consequences, making aggressive, multi-layered defense and visibility across supply chains an urgent priority.
Attack Path Analysis
Attackers likely gained initial access to council IT systems via exposed credentials or phishing. Once inside, they escalated privileges, possibly by exploiting weak IAM policies or leveraging compromised accounts. With elevated access, adversaries moved laterally across networks or cloud workloads, searching for valuable targets and disrupting more systems. Establishing command and control, they maintained persistent access and coordinated malicious actions, using encrypted or covert channels. The attackers may have attempted to exfiltrate sensitive data or deploy encryption keys for ransom. Ultimately, ransomware was activated, encrypting critical data and disrupting services across multiple councils.
Kill Chain Progression
Initial Compromise
Description
Adversaries gained access to the councils’ cloud or hybrid IT environment, likely via stolen credentials, phishing, or exploiting an exposed remote access service.
Related CVEs
CVE-2025-22230
CVSS 9.8A vulnerability in VMware ESXi allows an unauthenticated attacker to execute arbitrary code on the host system.
Affected Products:
VMware ESXi – 7.0.3, 8.0.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Phishing
Valid Accounts
Command and Scripting Interpreter
Data Encrypted for Impact
Data Manipulation
OS Credential Dumping
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Multi-Factor Authentication
Control ID: Identity Pillar - Control 1
NIS2 Directive – Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Direct ransomware targeting of London councils exposes critical vulnerability in public service IT infrastructure requiring enhanced segmentation and threat detection capabilities.
Information Technology/IT
Municipal IT systems disruption highlights need for zero trust architecture, encrypted traffic monitoring, and robust backup systems against ransomware attacks.
Computer/Network Security
Council cyberattacks demonstrate urgent demand for advanced threat detection, egress security controls, and multicloud visibility solutions in public sector environments.
Public Safety
Service disruptions at government councils could compromise emergency response coordination and citizen safety services, requiring resilient hybrid connectivity and anomaly detection.
Sources
- Multiple London councils' IT systems disrupted by cyberattackhttps://www.bleepingcomputer.com/news/security/multiple-london-councils-it-systems-disrupted-by-cyberattack/Verified
- London councils enact emergency plans after three hit by cyber-attackhttps://www.theguardian.com/technology/2025/nov/26/london-councils-kensington-and-chelsea-westminster-cyber-attack-emergencyVerified
- Royal Borough of Kensington and Chelsea admits data 'copied' in cyberattackhttps://www.computing.co.uk/news/2025/security/royal-borough-kensington-chelsea-data-breachVerified
- Cyber security incident, Friday 28 November updatehttps://www.westminster.gov.uk/news/cyber-security-incident-friday-28-november-updateVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
The use of zero trust segmentation, east-west traffic controls, egress filtering, and real-time threat detection would have constrained attacker movement, limited exposure, and enabled early detection prior to ransomware deployment. CNSF-aligned controls disrupt the attack across multiple kill chain stages by enforcing least privilege, visibility, microsegmentation, and robust egress management.
Control: Cloud Firewall (ACF)
Mitigation: Blocked unauthorized external connections and reduced remote attack surface.
Control: Multicloud Visibility & Control
Mitigation: Detected anomalous privilege changes and alerted for rapid investigation.
Control: Zero Trust Segmentation
Mitigation: Contained attacker movement by strictly enforcing least-privilege network access.
Control: Inline IPS (Suricata)
Mitigation: Detected and blocked known C2 traffic patterns and signatures.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented or detected unauthorized outbound data transfers.
Early detection of mass encryption or anomalous file activity limited ransomware spread.
Impact at a Glance
Affected Business Functions
- Public Services
- Customer Support
- Financial Transactions
Estimated downtime: 14 days
Estimated loss: $5,000,000
Personal and financial data of residents, customers, and service users were potentially accessed and exfiltrated during the cyberattack.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege across all workloads and cloud resources.
- • Deploy east-west traffic security controls to contain lateral attacker movement and enhance workload isolation.
- • Enforce strict egress filtering and real-time inspection to prevent command & control and data exfiltration.
- • Expand centralized visibility and anomaly response capabilities to detect emerging threats quickly.
- • Regularly review and harden identity and access policies, combining network controls with robust IAM governance.
