On the fourth day of the ransomware attack on the computer system of the Lazio Healthcare – as well as other Italian strategic realities, including Erg – it is possible to indicate some ascertained points and investigative hypotheses.
Certain points
Let’s start with certain points, because they are officially confirmed by those directly involved and incontrovertible evidence.
- Lazio region was hit last Sunday by ransomware, called Ransomexx (of the homonymous criminal gang, presumably Russian), which encrypted and then blocked critical data. Now to offer the services of the vaccine platform, which is therefore offline. But the documents of about ten years of activity of the Region have also been blocked. The aim is a ransom. Without these documents – building and environmental concessions, waste management – the work of the Region is strongly compromised.
- It is impossible to recover this data immediately and independently, because Lazio Region did not have an offline / offsite back-up, that is, separated from the network. The backup was online, so it was found by the malware and encrypted too.
- At least the health data would not have been affected – reports the Lazio Region, according to which it will therefore be possible to restore the vaccination systems by Thursday.
- The Privacy Guarantor is investigating to ascertain responsibility. As Francesco Pizzetti wrote on Twitter (formerly the Privacy Guarantor), lacks in data protection by the Lazio Region can lead to high privacy penalties.
- In the same days, the company Engineering has announced that it has suffered an intrusion (on July 30). They explained to ItalianTech that the cybercriminals entered their network because they had found the access data in one of their PCs on a customer’s network, which had in turn been attacked. From the Engineering network, the criminals entered Erg’s network and encrypted some data, penalizing the activities. In this case another ransomware, Lockbit 2.0, from another (Russian) gang was used.
The investigations
At this point we enter the bed of suppositions. “There are two hypotheses. Either they are two separate attacks altogether and therefore a coincidence – as Engineering claims – or they are linked. In this case, passing both (and not just the one to Erg) from the Engineering network ”, sums up Alberto Pelliccione, founder of Reaqta, who is supporting Erg in this problem. It is true that Lockbit and Ransomexx are two separate gangs and therefore the idea of separate attacks would be supported. But ransomware gangs often collaborate (as reported by the Malwarebytes company) sharing resources, information. An Italian researcher, known on Twitter as JamesWT and with a good reputation in the field, today said that both of these actors attacked the Lazio Region, even if only one went through with it. “It is also possible that there is a third actor at stake, who sold the accesses of Erg, the Lazio Region and other Italian companies (which also suffered ransomware in recent days) on the market and bought them Lockbit and Ransomexx”, explains Furrier. The third actor, according to this hypothesis, would have found the accesses on the Engineering network.
The attack on the Lazio Region started from the PC of an employee in smartworking
by Arturo Di Corinto, Bruno Ruffilli
As mentioned, Engineering claims that it has not found any element that leads from them to the Lazio Region (of which they are one of the security service providers). Sources close to the company, however, leave open a “albeit remote” (they say) hypothesis according to which in the attack the criminals managed to find a Lazio Region password in one of their computers.
Poste Italiane would have confirmed the Engineering track for the Lazio Region. At Italian Tech, sources from the Post always consider it possible, but not certain; apparently the cybersecurity team at the secret services, which also work on the case, are on the same lines. The other possibility is that the criminals (Ransomexx) have entered directly into a vulnerable PC connected to the Lazio Region (exploiting a software vulnerability, a phishing e-mail …), therefore without going through a supplier.
The Lazio Region councilor, in a statement yesterday to ItalianTech, identified the source of the attack in a LazioCrea computer (which manages the Region’s Web services); but since there are no details on how it happened, it is not said that there is not another source upstream (like the network of a supplier, from which the criminals then entered the LazioCrea PC; similarly to the Erg case).
Analyses
This is why the hacker attack on the Lazio Region is just the beginning
by Arturo Di Corinto
How is progress in the Lazio Region
Officially, the Region and Italy are not negotiating with criminals for ransom, to unlock the data. The ransom requested, according to various sources, is in the order of a few million euros, but usually it is and for this purpose the Lazio Region – as it turns out – is contacting a specialized international company. Colonial Pipeline, an American pipeline blocked by ransomware in May, has negotiated to drop a ransom from 70 million to 5 million (paid, but partly recovered later by the FBI).
Without a backup and without paying, the chances of unlocking the data are very remote. “They can only be decrypted if the criminals used ransomware software with a bug, but they no longer make these mistakes,” explains Paolo Dal Checco, computer forensic expert.
“The main problem is not the vaccine platform – which can be restored, together with reservations – but it is that the documents of ten years of activity of the Region have been blocked”, explains Fulvio Sarzana, a lawyer specialized in digital and already (in 2005 ) lawyer of part of the Region for a case of illegal intrusion into the systems. “It is strange, however, that in 16 years the Region has not secured its accesses, preventing a compromised computer from escalating to the entire network – explains Sarzana”.
But there will be time to ascertain these and other responsibilities; now the game is to reduce the damage to citizens and the country.
The investigation
Italy and the lost opportunity of the Electronic Health Record
by Carlo Canepa (Political Report)
.