Italian Vaccine Registration System Possibly Hit with Ransomware [Updated]
The Region’s President Announced That Residents of Lazio Will Not Be Able to Book New Appointments for Several Days.
Update – A shared ransom note that reads “Hello, Lazio!” and warns the Italian region that their files were encrypted has been published earlier today by BleepingComputer. The ransom note also includes a link to a private dark web page that Lazio can use to negotiate with the threat actors.
Image Source: BleepingComputer
It is believed that the cyberattack was either conducted by the RansomEXX ransomware operation or LockBit 2.0, according to Italian security researcher JAMESWT.
Although the ransom note doesn’t specify which operators are responsible for the attack, the ONION URL listed within the text is a known Tor site for the RansomEXX gang.
Last weekend, residents of Lazio, one of Italy’s largest regions, are currently blocked from booking new vaccination appointments due to a vaccination registration system breach, suspected to be a ransomware attack.
Lazio President Nicola Zingaretti revealed in a Facebook post that residents of the area (including Rome) won’t be able to book new appointments for several days.
The message reads:
In the night between Saturday and Sunday, the Lazio Region suffered a first cyberattack of criminal origin. We do not know who the perpetrators are, nor their purposes.
The attack blocked almost all files in the data center. The vaccination campaign continues regularly for all those who have already booked their appointment. In the next few days, the now-suspended vaccine reservations will be open. At the moment the system is turned off to allow internal verification and to prevent the spread of the virus introduced with the attack.
LazioCrea informs us that health data are safe, as well as financial and budget data.
We are migrating essential services to external clouds to make them operational as soon as possible.
I thank the regional council that today, despite the current situation, has decided to hold the council meeting. An important sign that we do not stop.
As president, in thanking them for their commitment, I appeal to all operators and employees not to give up and to move forward with administrative activities. We apologize to the citizens for the inevitable delays.
112, Ares 118, Emergency Department, Transfusion Center, and Civil Protection are safe and are providing services regularly.
The Green Pass is sent in the usual way, thanks to the collaboration with the commissioner.
As for the CUP: we are working to get it back into operation. To request the services, you can contact the call center on 06 99 39. The appointments already fixed will take place regularly.
The situation is serious and serious and we immediately alerted the Postal Police and the highest levels of the State, whom we thank.
While the attackers’ identity and intentions were not immediately clear, the Italian vaccination registration system breach appears to be in fact a ransomware attack.
Zingaretti declared that the threat actors had blocked almost every file in the system’s data center and that the regional health network had shut down its servers to prevent the attack from spreading.
This is the usual MO of ransomware hackers, who encrypt a computer network’s files in hope that they can later request payment from the victims in exchange for a decryption key.
Another clue could be the fact that the vaccination registration system breach occurred over the weekend, a common time for opportunistic cybercriminals who know they are less likely to be noticed and obstructed by IT admins.
Back in April, the US Department of Justice warned that hackers are creating COVID-19 vaccine survey scams for consumers. The attackers promised victims money or rewards for filling out the phony surveys. In reality, they just collect the filled-out personally recognizable details to sustain scam plans including identity theft.
In May, the U.S. Attorney’s Office for the District of Maryland shut down a fake COVID-19 vaccine website that was stealing the visitors’ data.