HC3 TLP White: Analyst Note Ransomware Attack on COVID-19 Vaccination Registration Portal in Italy's Lazio Region

Executive Summary

On August 1, 2021, the Lazio region in Italy suffered a ransomware attack which impacted the region’s COVID-19 vaccination registration portal, thereby halting new vaccination appointments for days. A new, temporary website came online on August 5, 2021 with the original site expected to relaunch on Monday, August 9, 2021. While most media outlets are reporting that RansomEXX ransomware was responsible for the attack, an Italian security researcher claimed to have evidence that LockBit2.0 was also involved. A terrorism investigation in Italy has been opened as a result of the attack.

Report

Between Saturday night, July 31, 2021, and Sunday morning, August 1, 2021, the Lazio region in Italy suffered a RansomEXX ransomware attack that disabled the region's IT systems, including the COVID-19 vaccination registration portal. Furthermore, an Italian security researcher claimed to have evidence that the attack may have also involved LockBit 2.0 ransomware. While the Tweet has since been deleted, a screenshot was obtained (see below). The system was shut down during incident response to allow for internal verification following the attack and to avoid further infection. The LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks, according to BleepingComputer.

The Lazio region of Italy is the second most populated region of Italy and includes the country's capital, Rome. President of the Lazio Region, Nicola Zingaretti, said that a terrorism investigation had been opened as a result of the attack, stating that, while the perpetrators were still unidentified, the attack likely came from abroad.

According to the Councilor for Health of Lazio, Alessio D’Amato, the attack likely began after administrator credentials of an employee of LazioCrea (the company that manages the computer network of the region) were compromised and obtained by the threat actors, thereby allowing the attackers to log on to the LazioCrea VPN and deploy ransomware on the regional CED network.

Chuck Everette, director of cybersecurity advocacy at cybersecurity company Deep Instinct Ltd., stated that “the attack on Lazio’s vaccine portal appears to be part of a supply chain attack and is therefore not an isolated incident. As this attack is part of a wider campaign, it should be the cause of further concern for other government agencies and healthcare organizations across the world.”

While the ransomware attack reportedly encrypted almost every file in the datacenter, officials stated that vaccinations would continue as normal for those who had already booked an appointment with new vaccine bookings to be suspended for the next few days following the incident. On August 3, 2021, the Lazio Region stated on Twitter that the services for booking vaccination appointments would be restored within 72 hours, by Friday, August 6, 2021. On August 5, 2021, the president of the Lazio region stated that the vaccination appointments had resumed with a new website at prenotavaccino-covid.regione.lazio.it, while a temporary version of the original site for vaccine appointments would reportedly launch on Monday, August 9, 2021.

The RansomEXX ransomware-as-a-service (RaaS) operation, previously known as Defray777, has been active since 2018 but came to fame in 2020 after attacks on major organizations, including the Texas Department of Transportation. RansomEXX started as a Windows variant, but a Linux variant was discovered in January 2021. The ransomware is usually delivered as a secondary in-memory payload without ever touching the disk, which makes it harder to detect and highly evasive. In February 2021, RansomEXX ransomware hit the French health insurance company Mutuelle Nationale des Hospitaliers (MNH), severely disrupting the company's operations.

View the entire report below.