The good news is that in Lazio everything will start again by August: the data was restored from a backup. The Region itself said: they weren’t encrypted like the others from ransomware that hit the datacenter, but only canceled and the technicians had to work for days to be able to recover them.
Plausible story, he says Paolo dal Checco, forensic engineer and one of the top experts on the subject: “It can happen that the data is only deleted, although usually the ransomware can also encrypt backups.”
The story perplexes several technicians, particularly Su Twitter and on chat dedicated to security on Telegram: Matteo Flora, for example, said he was skeptical of the announcement of the discovery of the data (presented for the first time last night by Corrado Giustozzi, who works on the case and so far would have always spoken authorized by the Region), but “it will be easy to see if they have paid or not the ransom. If the data does not come out, they have paid ”.
In short, the suspicion is that the data was recovered because the Region paid the ransom, hypothesis from the beginning also rejected by the government. However, the vaccine platform is already back online because the health data has never been encrypted (they were safe elsewhere, the Region said).
The attack on the Lazio Region started from the PC of an employee in smartworking
by Arturo Di Corinto, Bruno Ruffilli
Backup
The Region has let Italian Tech know that the backup took place automatically on a Virtual Tape Library system, which simulates tape storage.
He explains from Checco: “The backup data is usually less easily encrypted because it is on devices and systems other than those where the ransomware has entered. Sometimes criminals can’t access it, especially if the backup rules prevent these actions. And so they just delete the backup ”. In this case it was a cancellation plus a double reinstallation of the system (as Giustozzi said) in an attempt not to make the data available.
However, the Region found them at a lower level, in the sense that they were physically present on the disks. A long restoration work, starting from these faint traces present, allowed the recovery. It is also not surprising that the Region took so many days to find the backup: “In these cases, for the first few days, no data analysis is done, but only a forensic copy, to acquire the proof of the crime and crystallize it. Do not try to see if there is still any data available”, He told us again from Checco. And then, explain from the Region, the technicians wanted to be sure that the systems had been cleaned of ransomware before intervening.
“You have to know that by now these ransomware no longer act fully automatically – Dal Checco said again – Behind there are people who enter the systems, see what to do, what to encrypt. And they can decide whether to delete something by failing to encrypt it. Or even perform non-rational actions ”.
It remains inexplicable because the regional health councilor has said publicly that the backup was encrypted: maybe he was wrong? In this regard, the Lazio Region has not yet responded to Italian Tech.
Cybersecurity
Case Lazio Region (and Erg), the point on the investigations: the failure of ransomware to Italy
by Alessandro Longo
Was the data stolen?
As Flora said, the other point that raises questions is if there has been data theft (exfiltration). Ransomware gangs usually do this, either to blackmail the victim or to sell the data back.
Also Ransomexx, the allegedly Russian gang that hit the Region with ransomware of the same name, usually does this. Why shouldn’t he have done it this time? The Region has not communicated this eventuality e no data attributable to them are yet to be found, on the Dark Web.
What is certain is that the story does not end here, also because the investigation of the Privacy guarantor, which could sanction the Region for what happened in the light of European legislation.
.