Italian government authorities are investigating a suspected ransomware attack on the country’s tax agency L’Agenzia delle Entrate, with LockBit claiming to have stolen 98 GB of data.
The LockBit ransomware gang had made ransom demands and threatened to publish the data if its extortion requests were ignored.
IT vendor of Italy’s tax agency disputes LockBit ransomware attack
The Italian tax agency requested feedback and clarification from its IT infrastructure management company, Società Generale d’Informatica (Sogei SpA). The management company also manages the IT infrastructure of the Department of the Treasury, Ministries of Interior, Justice, and Education, and the State Attorney General.
However, Sogei SpA disputed the ransomware attack, adding that its investigation found no evidence of a data breach.
“Regarding the alleged cyber-attack on the tax information system, Sogei SpA concluded from investigations conducted, that no cyber-attacks or data was stolen from the Financial Administration’s platforms and technological infrastructure,” Sogei’s translated statement read.
Sogei SpA added that investigations were ongoing, and it was cooperating with the Italian National Cybersecurity Agency and the Postal Police in their inquiry.
Likely, the suspected ransomware attack did not encrypt devices connected to the network of the Italian tax agency.
“There is no way to recover files after they’ve been encrypted by Lockbit,” Adam Flately, Director of Threat Intelligence at redacted, said. “As with most ransomware variants, the answer is ‘no’ except in extremely rare edge cases that are so unusual that they shouldn’t be part of an organization’s planning.”
Meanwhile, LockBit suggests it exfiltrated documents that the tax agency wishes to keep secret. Potential data stolen includes company documents, scans, financial reports, and contracts. LockBit added the Italian tax agency on its dark web data leak site and shared six screenshots of allegedly stolen data.
While a ransomware attack on a country’s tax agency is potentially devastating, failing to detect a data breach is equally embarrassing.
Gil Dabah, Co-founder and CEO of Piiano, said the ransomware attack had potential implications on the taxpayers’ data and the tax agency’s operations.
“Such an attack impacts two different types of victims. The first type is the organization itself which usually can’t operate since valuable data is now encrypted. The second type of victim is the individual whose data was compromised.”
The most potent ransomware group strikes again
Since its emergence in 2019, the LockBit ransomware group has attacked multiple organizations globally.
In February 2022, the FBI published a flash alert on the increased activities of the Ransomware-as-a-Service (RaaS) group and its indicators of compromise (IoC).
Additionally, the law enforcement agency requested more information on the group and malware samples for further analysis.
“Such a list (of FBI recommendations) may help reduce the chance of a breach, but it doesn’t mitigate the risk of data exfiltration,” Dabah added. “The proper safeguarding of sensitive personal data should be done as part of GDPR regulations. Privacy and customer data protection should receive a higher priority.”
In May 2022, LockBit was responsible for 40% of ransomware attacks, widening the gap with other top APTs such as Conti ransomware, according to United Kingdom’s NCC Group.
Similarly, Digital Shadows ranked the LockBit ransomware gang among the most active ransomware groups in 2022. The cybersecurity firm attributed LockBit to 33% of organizations posted on the dark web data leak sites in the second quarter of 2022.
In June 2021, the group released LockBit 2.0 with automatic encryption abilities of network-connected devices by abusing the Active Directory group policies. The group also developed a variant exploiting the vulnerabilities of the VMWare ESXi virtual machines.
In June 2022, the extortion group released LockBit 3.0 with bug bounty payments of between $1,000 and $1 million and ZCash payment options.
The LockBit ransomware gang is also among APT groups with a strong allegiance to Russia, especially during the invasion of Ukraine.
“We’re watching the spread of global cyberwar in real time,” Paul Martini, CEO of iboss, said. “Early reports suggest that Italy is the latest sovereign nation that has come under siege by LockBit, a ransomware group that has pledged allegiance to Russia.
“The shadow cyber war between nations that has been carried out through espionage, disinformation campaigns and strategic attacks on critical targets is just starting to come out of the shadows. We can expect this to boil over and the West is going to need stronger defenses in place to protect government and civilian targets.”
Dr. Darren Williams, CEO and Founder, BlackFog, said LockBit was very active in the last few days, taking responsibility for 12 of 18 attacks the company observed, including the St Mary’s in Canada and the Town of Frederick, Colorado.
“As with other cybercriminal gangs of late, data exfiltration followed by extortion is their weapon of choice,” Darren said. “LockBit’s focus appears to be on targeting under-resourced organizations with weak security where they can cause significant disruption, thus increasing the odds of a successful ransom payday.”
Flately recommended a layered approach to defend against ransomware attacks. He advised organizations to gain solid visibility into their networks to detect attacks on time and reduce their dwell times. Additionally, organizations should have well-rehearsed incident response plans, secured backups, and a clear understanding of their Crown Jewels.
“This will greatly help an organization decide whether they can avoid paying the ransom even in double-extortion scenarios if they have already thought out what they can afford to have leaked ahead of time. It removes having to make this high pressure decision while impacted by time crunches and fear,” Flately concluded.