Possible ransomware attack hits Italian vaccine booking system

A cyber attack on a regional Italian government’s IT system shut down Covid-19 vaccination bookings for nearly a week, but attribution remains cloudy.

On 2 August 2021, hackers launched a malware attack on the IT system of the health department of Lazio, the highly-populated region surrounding Rome, forcing its official website and Covid vaccine booking system to go down after a large number of files were encrypted.

In the immediate wake of the attack, regional governor Nicola Zingaretti said it had been launched “by persons unknown… from outside the country,” but described it as being of a “criminal or terrorist nature”.

In a bid to halt the spread of the malware, all computer servers belonging to the region’s government were shut down.

Vaccine reservations began again on 5 August using a new website. A temporary version of Lazio’s website was launched on 9 August. Regional officials expect other digital services to be up and running again in the coming days and weeks.

According to reports in Italian newspaper La Repubblica, the hackers are thought to have gained access to Lazio’s network through the computer of a government employee that had been left open.

The system holds data on “all citizens” in the region, wrote Repubblica, including “the entire ruling class of the country, from [President] Mattarella to [Prime Minister] Draghi,” due to the inclusion of Rome.

However, cyber crime investigators told CNN that sensitive health data, including that of Mattarella and Draghi, had “not been breached by the hackers”.

While the encryption of files indicates a ransomware attack – whereby cyber criminals demand payment in exchange for the files’ decryption – there is still confusion as to who carried out the attack, as the ransom note made no specific demands and did not state which ransomware operation had conducted it.

BleepingComputer has since reported that the ONION URL included on the ransom note is a known Tor site for the RansomEXX operation, but that clicking through to the negotiation page still shows no ransom demand.

On top of this, while RansomEXX negotiation pages usually provide details about the attack, such as the amount of data stolen or screenshots of files, this page showed no indications that RansomEXX stole any data.

In an update to the article from 8 August, Italian security researcher JAMESWT told BleepingComputer that there was evidence the attack was conducted by LockBit 2.0, but that they were unable to share any further information.

Since the attack, it has also been confirmed that the FBI and Europol are assisting Italian police with the investigation into the cyber attack.

Jaya Baloo, chief information security officer at Avast, said ransomware attacks were typically the final step in a chain of events that leads to compromised computer networks, adding that to prevent critical healthcare infrastructure from widespread disruption going forward they must secure their networks and have both online and offline backups in place to restore any loss of important data.

“When an organisation is hit by ransomware, the five steps to take would be to isolate the affected systems, identify and secure backup options, collect log information and conduct forensics where needed, attempt to identify the ransomware strain and see if there is a decryption key available, and contact law enforcement and decide on how to proceed,” she said.

“Moving forward, they should also create an incident response plan which can help them conduct triage and provide not only rapid response capability for security incidents, but also help establish an incremental improvement path. This’ll take time but it’s a critical process, otherwise the door will remain open for the same thing to happen again in the future.

“Unfortunately, we see a rise in successful attacks because ransomware is being run as a service to cyber criminals, which increases both the sophistication and ease of launching an attack. We need national coordination to improve our defenses in critical infrastructure and international cooperation to take down these cybercriminal operations.”