Cyberattacks Disrupt German Public and Cultural Services
Germany’s Dresden State Art Collections (SKD) reported a targeted cyberattack that disrupted large parts of its digital infrastructure, leaving online ticketing, visitor services, and the museum shop unavailable and forcing on-site payments to cash-only. The museums remained open, and Saxony’s culture ministry said security systems protecting the collections were not affected; the attacker, motive, and whether a ransom demand was involved were not disclosed, and full restoration timelines were unclear.
Separately, multiple German organizations reported ransomware incidents causing service outages. The Verkehrsgesellschaft Main-Tauber (VGMT) said attackers encrypted its servers and data, forcing closure of its office and mobility center and cutting phone/email availability; it remains unclear whether data was stolen. Regensburg-based IT service provider Conceptnet said threat actors gained access around 13 January 2026 and encrypted core systems including web and email servers, disrupting websites for customers (including REWAG, Stadtwerk Regensburg, and SSV Jahn Regensburg) while external forensics and recovery efforts continue and temporary websites have been stood up to maintain limited customer presence online.
Timeline
Jan 23, 2026
SKD operations remain restricted after attack
By 2026-01-23, Dresden State Art Collections said full restoration was still not possible and museum operations remained limited, including cash-only on-site payments. Authorities had not attributed the attack or disclosed whether ransomware or ransom demands were involved.
Jan 23, 2026
VGMT reports ransomware attack and service shutdown
On 2026-01-23, Verkehrsgesellschaft Main-Tauber announced that a cyberattack had encrypted its servers and data, forcing closure of its office and mobility center. The organization said it was unreachable by phone and email while management and local authorities worked to restore at least limited service.
Jan 22, 2026
Conceptnet detects ransomware attack and starts containment
After identifying the incident, Conceptnet said it immediately isolated affected systems, notified the relevant authorities, and began analysis and recovery with internal staff and external IT forensics specialists. Temporary websites were set up for impacted customers such as REWAG, Stadtwerk Regensburg, and SSV Jahn Regensburg.
Jan 21, 2026
Dresden State Art Collections discovers cyberattack
On 2026-01-21, Germany’s Dresden State Art Collections (SKD) discovered a targeted cyberattack that disrupted large parts of its digital infrastructure. Online ticketing, visitor services, the museum shop, and phone and digital services were affected, though collection security systems remained intact.
Jan 13, 2026
Conceptnet attackers access infrastructure and encrypt core systems
Around 2026-01-13, attackers reportedly gained access to the Regensburg IT service provider Conceptnet’s infrastructure and encrypted central systems, including web and email servers. The disruption affected services used by roughly 500 customers.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
German Government Pushes More Offensive Cyber Response Amid Ongoing Public-Sector Disruptions
Germany’s federal government signaled a shift toward a more **offensive posture** in response to cyberattacks. Interior Minister **Alexander Dobrindt** said Germany intends to “strike back,” including actions abroad to disrupt attackers and destroy their infrastructure, with operations to be carried out jointly by intelligence services and the **Bundeskriminalamt (BKA)**. The Interior Ministry also plans a new defense center for **hybrid threats**, prepared by the domestic intelligence service, to improve coordination across government levels; Dobrindt framed the move as a response to persistent attacks on institutions, critical infrastructure, and companies, often attributed to groups linked to state services (including Russia). Separately, the **Staatliche Kunstsammlungen Dresden** (a network of 15 museums) reported continued operational impacts from a **cyberattack**, with museums remaining open but key services still impaired, including `online ticketing`, card payments on-site, the online shop, and visitor services. Police and the state criminal office initiated investigations, and the Dresden public prosecutor indicated the case may be handled by Saxony’s specialized cybercrime unit (ZCS). The UK government’s discussion of building a **digital ID** system in-house is policy/technology governance reporting and does not describe a specific cyber incident or vulnerability tied to the German developments.
1 months ago
Cyberattack Disrupts Ludwigshafen City Administration IT Services
The city administration of Ludwigshafen experienced a significant IT outage, with all online services, telephone, and email communications rendered unavailable for several days. Initial investigations and monitoring system alerts prompted the city to disconnect its IT systems on November 6, and a forensic analysis was immediately launched. Authorities have since confirmed that indications of a cyberattack have strengthened, though there is currently no evidence of citizen data exfiltration. Emergency protocols were activated, and the city continues to assess the extent of the incident while working to restore services. This incident highlights the ongoing threat to public sector organizations in Germany, as noted in recent reports by the Federal Office for Information Security (BSI), which warns that cyberespionage and attacks on public administration remain a serious concern. The BSI also emphasizes that many institutions, particularly those with political relevance, remain vulnerable due to insufficient security measures. The Ludwigshafen case underscores the need for robust cybersecurity and incident response capabilities in municipal administrations.
1 months ago
Ransomware and Cyberattacks Hit German Firms, Including Alleged DragonForce Data Theft
A series of cyber incidents affected German organizations, including an alleged **DragonForce** ransomware data theft from insurer **HanseMerkur**. DragonForce claimed to have stolen nearly **97 GB** of internal corporate data and leaked materials described as including financial documents (e.g., invoices, tax notes, vouchers) and documents referencing HanseMerkur’s UAE partner **Emirates Insurance**; HanseMerkur had not publicly confirmed the claim at the time of reporting. Reporting also noted DragonForce’s broader activity and claimed partnerships in the ransomware ecosystem. Separately, the **Buhlmann Group** was named by the **Akira** ransomware group, which claimed theft of **55 GB** of sensitive data and threatened publication; Buhlmann indicated a **US subsidiary** was impacted and stated German/EU entities and their systems were not affected. In another incident, beverage bottler **Romina Mineralbrunnen** reported a cyberattack that left it unreachable by phone/email and caused a **production stoppage**; authorities were reported to be investigating, with no confirmed details yet on initial access, malware type, or data theft.
1 months ago