For the first time in Italian institutional history, a ransomware attack exposed personal data. Several thousand files were recently leaked online by the cybercriminal collective known as LockBit 2.0 after the Venetian regional authorities refused to pay them a ransom that reportedly ranged from 800,000 to well over 2 million euros.
LockBit 2.0 broke into the servers of Padua’s regional health system on the night between December 2 and 3, obtaining access to private records – medical and financial – and impairing operations. Hospitals, clinics and even Covid-19 vaccination centres suffered severe outages until the system was brought fully back online on December 20.
“We came out of the hacker attack in Padua with broken bones,” said the Venetian governor Luca Zaia at the time, “but [the blackmailers] shouldn’t come asking us any ransoms: we won’t give anything to anyone, they’re just wasting time on us.” The criminals then published a note on January 2, threatening to release the files if the authorities didn’t pay up. They didn’t, and police forces were unable to prevent the publication of over 7,000 files, which are still available on a dark web page.
The leaked data comprises names, phone numbers, home addresses, and medical records, ranging from mild ailments and Covid-19 results to terminal cancer, including details relating to private struggles with sexual violence, alcoholism, and drug use. Also: clinical guidelines, treatment protocols, payslips, forensic and judicial reports reconstructing aggressions or crime hypotheses.
The Lead Years and the Italian solution
This was not the first cyberattack on Italian health institutions – the Latium region’s health system was attacked over the summer and disrupted the vaccination drive – but it’s the one that carried the most serious repercussions as of yet. It’s noteworthy, though, that Mr Zaia did not hesitate in adopting a hardline against the cybercriminals.
That is not standard behaviour in light of what happened around the worst ransomware attacks that were carried out globally in 2021. But it’s quite possible the 53-years-old governor resorted, perhaps instinctively, to the techniques adopted by the Italian State after that tense period in Italian history known as the Lead Years, when dealing with ransom payments had become a frequent occurring.
Back then, the peninsula was a fractious and politically polarised place. Social instability and extreme partisanship had created fertile grounds for crime, and the kidnapping of wealthy individuals proved a lucrative affair for extremist groups and more common criminals, including mafia organisations. Kidnappings were especially common between 1975 and 1985, with a peak of 75 in a single year.
After years of high-profile kidnapping cases and ever-larger sums being paid to criminals, in 1991 the Italian government took a decisive step. It enacted a law that established the freezing of the financial assets of the captive’s family and loved ones, i.e. those who could have been coerced into paying. The somewhat brutal reasoning held that it was necessary to destroy the incentive for criminals to kidnap people, eradicating the possibility of a reward.
This strategy worked incredibly well: kidnapping rates all but flattened in a couple years’ time, and the 1991 law was widely credited for this success. Nowadays, the Italian approach is increasingly viewed among ransomware negotiation experts as a valid solution to combat the growing issue, as reported by The New Yorker and MIT Technology Review. Meanwhile, many world governments, comprising most of the global West, have agreed to deepen collaboration on the issue.
Those countries “recognised the need for urgent action” and detailed possible responses in a joint statement. “Efforts will include improving network resilience to prevent incidents when possible and respond effectively when incidents do occur; addressing the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable; and disrupting the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors, addressing safe havens for ransomware criminals, and continued diplomatic engagement.”
Let’s start by classifying
Ransomware attacks have been on the rise throughout 2021, in Italy as elsewhere in the world, partly due to crime syndicates (such as LockBit 2.0 itself) offering their hacking tools to third parties and keeping a percentage of a successful operation, what is known as Ransomware-as-a-Service (RaaS).
Decode39 reached out to Stefano Mele, a lawyer and cybersecurity expert, for a comment. “We urgently need to open a serious political debate in order to classify as national security threats the ransomware attacks aimed at public and private entities that provide an essential service to citizens, such as hospitals and healthcare facilities,” he said.
It’s clear by now that these types of attacks have been growing steadily for some years now, he continued, especially in terms of target “quality” and the extortion techniques used to obtain ransom payments. Groups such as LockBit 2.0 are an increasingly ominous IT threat in the life of any company or public administration, he added.
Attacks on health facilities are especially cynical: not only do they cause immediate damage to the victim organisation, rendered unable to use most – if not all – of its technological infrastructures efficiently, they also trigger decisions of vital importance in terms of legal, ethical, process and reputation, which also have to be taken within a few hours.
“Furthermore, a ransomware attack may result in the disruption of an essential service or function that is vital to the interests of the State.” This happened in Italy at the height of the first wave of Covid-19, in April 2020. Back then, the secret services and cybersecurity teams had to meet urgently to analyse the operational blockade of several hospitals following cyber attacks of an extortionate nature. “It’s easy to understand how the issue is now more topical than ever and even more urgent,” concluded Mr Mele.