Cyber Incident Victim: Lazio Region
Date:
Aug 2021
Location:
Italy
Summary
A ransomware attack targeted Italy's Lazio region, encrypting critical IT systems and disrupting operations, including the COVID-19 vaccination registration portal. The incident forced temporary suspension of new vaccine bookings but did not affect existing appointments, with over 50,000 doses administered post-attack. Officials confirmed health and financial data remained secure despite widespread system encryption. The ransomware operation RansomEXX was implicated, providing a negotiation link without evidence of data exfiltration. The attack occurred amid heightened demand for vaccine registrations linked to Italy's newly introduced digital health pass system, though services were restored within days.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the night between Saturday, July 31, and Sunday, August 1, 2021, the Lazio region of Italy experienced a significant ransomware attack that disrupted its entire IT infrastructure. The attack encrypted nearly all files within the regional data center, forcing the immediate shutdown of critical systems to contain the incident and prevent further spread of the malicious code. Nicolás Zingaretti, President of the Lazio region, publicly confirmed the criminal nature of the attack via a Facebook statement, though the perpetrators and their precise motives remained unidentified at the outset. Among the most severely impacted services was the Salute Lazio health portal, a platform essential for COVID-19 vaccine registration and management, which was rendered inoperable. The regional government suspended new vaccination bookings as a direct consequence of the outage, though existing appointments proceeded without interruption, with 50,000 doses administered on the day following the attack. Officials emphasized that health, financial, and budgetary data appeared secure despite ransomware operators’ typical practice of exfiltrating information for extortion leverage. Emergency response measures included isolating affected systems, conducting internal verifications, and initiating forensic investigations to assess the attack’s scope and origin.
Technical analysis by cybersecurity sources later attributed the attack to the RansomEXX ransomware operation, based on characteristics of the ransom note and its associated Tor negotiation page. The note, which opened with “Hello, Lazio!”, confirmed file encryption and provided a dark web link for communication but did not specify a ransom demand or disclose stolen data. Investigators noted the absence of data theft indicators on RansomEXX’s victim-specific negotiation portal, contrasting with the group’s usual tactics of publishing evidence of exfiltrated files. The incident occurred amid heightened demand for vaccination services following Italy’s announcement of the “Green Pass” system, which mandated proof of vaccination, recovery, or negative testing for access to public venues starting August 6. While regional authorities projected restoration of the booking system within days, the attack introduced operational delays and underscored vulnerabilities in critical healthcare infrastructure during the pandemic. BleepingComputer later reported conflicting attribution intelligence suggesting potential involvement of the LockBit 2.0 ransomware group, though definitive confirmation remained pending at the time of publication.