Lockbit’s at it again. The Russia-linked hacker group has claimed responsibility for the cyberattack that experts have labelled as “one of the largest in the history of the Italian public administration.” Lockbit has been responsible for some of the biggest ransomware attacks over the past years, including in Italy, where they paralysed a regional healthcare system in 2021 and exposed a trove of citizen personal data in January 2022.
- Although they are ostensibly apolitical, Lockbit members and software originate from Russian cyberspace and are – either directly or indirectly – part of the expanding Russian cyber offensive against the Italian State.
- The cybergang also offers its software to third parties, a practice known as Ransomware-as-a-Service.
An aggression against the State. On December 8 a systemic ransomware aggression began targeting the Milan and Rome server farms of Westpole, a cloud infrastructure provider hosting several services of PA Digitale – another private company that services over 1,300 entities in the Italian public administration, including 540 municipalities, some provinces, several associations of municipalities and mountain communities, and bodies such as the Agency for Digital Italy (AGID) and the Anti-Corruption Authority (ANAC).
- The attack lasted until the evening of December 18, when the National Cybersecurity Agency said in an official note it was able to recover the encrypted data and make it available to restore the affected operations – which were over 700.
Here comes the “ransom” part. The attack encrypted multiple servers and caused large-scale disruption in areas like payrolls and citizen payment services, certified mailing systems, ID services, public notice boards and automatic protocols, forcing some public offices to revert to analog systems, specialist website Cybersecurity360 reported. No data was exfiltrated by the institutions, according to communiqués by Westpole, PA Digital and several municipalities (although Lockbit software is known for stealing data on top of encrypting its source).
- Still, Il Sole 24 Ore reported that Lockbit cybercriminals have sent ransom demands, to be settled via cryptocurrencies, to Westpole itself. This lends credence to the thesis that the cyberattack was merely economic in nature – which, of course, does not diminish the seriousness of an attack that brought a consistent number of public administration offices to a halt.