TeamHood 
The Lazio region in Italy has suffered a massive ransomware attack that has disabled the region’s IT systems, including the COVID-19 vaccination registration portal.
Early Sunday morning, the Lazio region suffered a ransomware attack that encrypted every file in its data center and disrupted its IT network.
“On the night between Saturday and Sunday the Regione Lazio suffered a first cyber attack of criminal matrix. We don’t know who is responsible and their goals,” Nicola Zingaretti, the President of the Lazio region, said in a statement.
“The attack blocked almost every file in the data center. The vaccination campaign continues as normal for all those who have booked. Vaccine bookings will open for now suspended in the next few days. The system is currently shut down to allow internal verification and to avoid the spread of the virus introduced with the attack.”
While ransomware gangs are known to steal data during an attack as leverage in extortion attempts, the region states that health, financial, and budget data are safe.
While ransomware gangs are known to steal data during an attack as leverage in extortion attempts, the region states that health, financial, and budget data are safe.
The outage has also affected the Salute Lazio health portal used to register for COVID-19 vaccines.
“There is a powerful hacking attack on regional ced. The systems are all disabled including all of the Salute Lazio portal and the vaccine network. All defense and verification operations are under way to avoid the misappropriation. Vaccination operations may experience delays,” the region said in a statement.
In June, Italy instituted a new ‘Green Pass’ certificate system that allows people to prove that they have been vaccinated, tested negative, or previously had COVID-19.
This green pass will be required for indoor dining at restaurants and bars and be required to access fitness centers, amusements parks, museums, and other locations with a large crowd starting on August 6th.
With over 70% of the Lazio population vaccinated and a massive surge in registrations since the announcement of the Green Pass policy, there is concern that the disruption to the online COVID-19 vaccination
However, the region states that there has been no disruption to existing appointments for vaccinations and that the online registration system should be back online in a few days.
“The vaccination campaign won’t stop! In yesterday’s day, 50 thousand vaccines were administered, despite the biggest cyber attack suffered,” the region stated on Facebook.
RansomEXX ransomware is behind the attack
In a redacted ransom note shared from the attack on Lazio, the threat actors state, “Hello, Lazio!” and warn the region that their files were encrypted. The ransom note also includes a link to a private dark web page that Lazio can use to negotiate with the ransomware gang.
The ransom note does not state what operation conducted the attack but the ONION URL listed is a known Tor site for the RansomEXX operation.
RansomEXX IOC’s to be used by SOC and Threat Intel groups
Campaign IOC
| Type | Value |
| SHA256 | 64C51351AAFB4CD339934A78D064847BDD833B963EAFBADE86EB51AC2C1677F4 |
| SHA256 | 78147D3BE7DC8CF7F631DE59AB7797679ABA167F82655BCAE2C1B70F1FAFC13D |
| SHA256 | CB408D45762A628872FA782109E8FCFC3A5BF456074B007DE21E9331BB3C5849 |
| SHA256 | ED2B1F855FC7A39A7CF2CFBFD5A10707801BA313BAB9C5D748FCD3703AAD66FC |
| SHA256 | D85F4448D5AEA240D68C07BEC6F363986D71940C3C1A3E49053D55FD1741C41E |
| SHA256 | F543C477BA67AFD4FB2AE111B22C8D596BF8E61E13A627F6A972FAC4762A70C1 |
| SHA256 | E55FCF9315C52D2ABD3431F7E4BB82CBD2B0D24D124E0E1A27B951030B2DE162 |
| SHA256 | 4CAE449450C07B7AA74314173C7B00D409EABFE22B86859F3B3ACEDD66010458 |
You can find the complete list of detection IOC for RansomEXX here.
