The frequency and sophistication of ransomware attacks has increased significantly since the onset of the pandemic in 2020, targeting healthcare services, educational organisations, governmental institutions and more. In 2021 this upwards trend has not slowed down, making ransomware one of the most prominent threats in the cyber landscape. News of the latest ransomware attack comes from Italy, where early on Sunday 1st August the Lazio Region was targeted by a cyberattack that impacted the regional CED, encrypting every file stored in the data centre. Among the IT networks disrupted by the cyberattack was the Lazio Health portal, which includes the COVID-19 vaccination registration portal for the region. While citizens that had already booked their appointment were still able to attend, new bookings were suspended in the days following the cyberattack. In fact, all the affected systems were deactivated during incident response in order to prevent the attack from spreading, and to allow technicians to carry out the appropriate verifications to avoid further complications. A temporary website to book vaccination appointments was released on 5th August.
Following the cyberattack, council member Lorenzo D’Amato explained that Lazio Region had been the target of an unprecedented powerful hacker attack, but that no health data and vaccination records were compromised as these were stored in a separate database. The bad actors involved in the attack, in addition to the location from which the attack originated, were initially unknown. An initial investigation was opened by Rome’s prosecutors to explore the possibility of an act of terrorism, considering the hackers had targeted critical infrastructure. According to later findings, it appeared that the ransomware attack was part of an operation known as RansomEXX, conducted for financial gain by the homonymous group of hackers. In fact, the ransom note left following the cyberattack, warning the Region that their files had been encrypted and were therefore inaccessible, also contained a link to a page on the Dark Web. The link led to a TOR site known to be associated to the RansomEXX operation. In the negotiation page, the threat actors informed Region Lazio that in order to decrypt their files a ransom needed to be paid, but no amount was set. An Italian cybersecurity researcher suspects that the attack might also involve the LockBit2.0 ransomware, but more verifications need to be carried out.

RansomEXX

The RansomEXX hacker group was created in 2018, and initially went by the name Defray777. Following a rebranding in 2020, the hacker group started gaining widespread attention as a result of the successful cyberattacks it conducted against major organisations, including the Texas Department of Transportation, Brazil’s government networks, Ecuador’s CNT, and Konica Minolta. RansomEXX is known to carry out ransomware attacks by identifying vulnerabilities to exploit, or by compromising credentials. The group is also known for stealing files before encrypting them, with the aim of extorting their victims by threatening to leak the stolen files. However, in the case of the attack on Region Lazio, there is no evidence to suggest the threat actors stole any files. In fact, RansomEXX usually posts proof of which files it has stolen on the negotiation page they share with the victim, but the Lazio Region negotiation page had no such information.

The attack and the database backup

The attack appears to have been carried out by the threat actors by compromising the systems of an employee in smart working, possibly by obtaining the employee’s credentials, which then allowed to access the LazioCrea VPN, spread the malware in the network and encrypt data. Initially, reports suggested that the backup of the Lazio Region files had been compromised as well, and that all data in the backup had been encrypted. In fact, it was disclosed that the Region did not have offline and offsite backups of their data as is usually recommended, and only kept backups online, which allowed the threat actors to access and compromise them. It was later disclosed however, that the Region was successful in recovering data without paying the ransom demanded by the threat actors. This was possible after it was assessed that the data in the backups was stored in a Virtual Tape Library and that this had not been encrypted, but was instead deleted. According to the forensic engineering Dal Checco, this is not an uncommon action, and threat actors might decide to delete data when encrypting it turns out to be too complicated. The technicians from LazioCrea were therefore able to recover data from the backups by working at a low level. While this technique might not always lead to the recovery of all data, it appears that in this case technicians were able to restore everything that was stored in the backup, allowing all systems to be functional again.
Many were initially suspicious about the sudden discovery that the backup had not been encrypted and could be restored, as council members and representatives of the region had initially claimed it was encrypted. In particular, there was speculation over whether Region Lazio had secretly paid the ransom to obtain their data back. At this time there is no evidence to suggest this. According to LazioCrea’s director Gallinella, it is not surprising or suspicious that it took the Region multiple days to find the unencrypted backup, as incident response initially consists of gathering information about the attack and can be a lengthy process.
FBI and Interpol are now assisting Italian authorities in the investigations, with the aim of analysing different attacks carried out by RansomEXX and finding similarities between them. In the meantime, other investigations from the Italian data protection authority, Garante Privacy, are underway to ascertain responsibility, as the discovery of insufficient or inappropriate measures to protect users’ data and privacy could lead to important sanctions.
News of the cyberattack reached mainstream media in Italy, especially due to concerns over the effect the attack would have on the vaccination campaign. In fact, the attack comes shortly after the Italian government has introduced new norms that make having a vaccination green pass mandatory in some circumstances. Since the beginning of the pandemic, the healthcare industry has become one of the main targets of cyberattacks, by threat actors seeking to exploit the opportunities presented by the increased digitalisation used to access services. This, coupled with the shift to smart working for many workers, who typically have no proper training in cybersecurity and might be using vulnerable systems, can create even more opportunities for cybercriminals to exploit. This attack is the latest example of the widespread vulnerability in the cyber environment, and the need for organisations, and healthcare services in particular, to increase their cyber resilience and to prioritise data protection.

Reference list

https://www.aha.org/system/files/media/file/2021/08/hc3-tlp-white-analyst-note-ransomware-attack-on-covid-19-vaccination-registration-portal-in-italys-lazio-region-aug-6-2021.pdf

https://www.agensir.it/italia/2021/08/03/cyber-attack-on-lazio-region-it-systems-rapetto-an-emblematic-incident-testifying-to-widespread-vulnerability/

https://www.ansa.it/sito/notizie/cronaca/2021/08/04/attacco-hacker-al-lazio-anche-fbi-collabora-ad-indagini-_144ed636-6db9-43f1-b04e-bd2acfce8d5a.html

https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/

https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/

https://www.cybersecurity360.it/nuove-minacce/regione-lazio-vaccini-bloccati-poco-pronta-contro-il-ranwomare-ecco-perche/

https://www.cybersecurity360.it/nuove-minacce/ransomware/regione-lazio-tutti-i-punti-aperti-dopo-il-backup-ritrovato/

https://formiche.net/2021/08/attacco-ransomware-regiohttps://confluenceprod.crifnet.com/pages/resumedraft.action?draftId=73696800&draftShareId=278e07db-33de-4efb-8b40-ef57c8d72697&

https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9688697

https://www.geekinco.com/2021/08/hacker-attack-on-lazio-region-data.html

https://www.italian.tech/2021/08/04/news/caso_regione_lazio_ed_erg_il_punto_sulle_indagini_lo_scacco_del_ransomware_all_italia-312932780/

https://medium.com/geekculture/its-time-to-talk-about-cyber-resilience-in-italy-too-307252ed1fa1

https://www.punto-informatico.it/regione-lazio-attacco-ransomexx-lockbit-2-0/

https://www.repubblica.it/tecnologia/2021/08/06/news/l_attacco_alla_regione_lazio_il_backup_che_salva_e_i_dubbi_sul_riscatto-313139323/

https://www.repubblica.it/tecnologia/2021/08/03/news/l_attacco_alla_regione_lazio_e_partito_dal_pc_di_un_dipendente_in_smartworking-312819783/

https://www.reuters.com/article/italy-hack/prosecutors-probe-terrorism-among-reasons-behind-italy-region-hacking-sources-idINL8N2PA5N7

https://www.scmagazine.com/analysis/application-security/cyberattack-shuts-down-italian-regions-covid-19-vaccine-scheduling-app

https://www.securitymagazine.com/blogs/14-security-blog/post/93936-the-year-in-ransomware-key-targets-extortion-tactics-and-what-to-do

https://siliconangle.com/2021/08/03/italian-vaccine-booking-site-taken-offline-ransomware-attack/

https://tech.everyeye.it/notizie/attacco-hacker-regione-lazio-criptato-backup-dati-come-guerra-533101.html