{
	"id": "274ba93a-2c77-46d3-b05e-5af3d5618805",
	"created_at": "2026-04-06T00:13:54.158808Z",
	"updated_at": "2026-04-10T13:11:32.667624Z",
	"deleted_at": null,
	"sha1_hash": "cace1319a0d4a75a91080c74266e339f861446e1",
	"title": "Ransomware attack hits Italy's Lazio region, affects COVID-19 site",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4047767,
	"plain_text": "Ransomware attack hits Italy's Lazio region, affects COVID-19 site\r\nBy Lawrence Abrams\r\nPublished: 2021-08-03 · Archived: 2026-04-05 23:05:11 UTC\r\nThe Lazio region in Italy has suffered a reported ransomware attack that has disabled the region's IT systems, including the\r\nCOVID-19 vaccination registration portal.\r\nEarly Sunday morning, the Lazio region suffered a ransomware attack that encrypted every file in its data center and\r\ndisrupted its IT network.\r\n\"On the night between Saturday and Sunday the Regione Lazio suffered a first cyber attack of criminal matrix. We don't\r\nknow who is responsible and their goals,\" Nicola Zingaretti, the President of the Lazio region, said in a statement on\r\nFacebook.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"The attack blocked almost every file in the data center. The vaccination campaign continues as normal for all those who\r\nhave booked. Vaccine bookings will open for now suspended in the next few days. The system is currently shut down to\r\nallow internal verification and to avoid the spread of the virus introduced with the attack.\"\r\nWhile ransomware gangs are known to steal data during an attack as leverage in extortion attempts, the region states that\r\nhealth, financial, and budget data are safe.\r\nThe outage has also affected the Salute Lazio health portal used to register for COVID-19 vaccines.\r\n\"There is a powerful hacking attack on regional ced. The systems are all disabled including all of the Salute Lazio portal and\r\nthe vaccine network. All defense and verification operations are under way to avoid the misappropriation. Vaccination\r\noperations may experience delays,\" the region said in a statement.\r\nIn June, Italy instituted a new 'Green Pass' certificate system that allows people to prove that they have been vaccinated,\r\ntested negative, or previously had COVID-19. \r\nThis green pass will be required for indoor dining at restaurants and bars and be required to access fitness centers,\r\namusements parks, museums, and other locations with a large crowd starting on August 6th.\r\nWith over 70% of the Lazio population vaccinated and a massive surge in registrations since the announcement of the Green\r\nPass policy, there is concern that the disruption to the online COVID-19 vaccination \r\nHowever, the region states that there has been no disruption to existing appointments for vaccinations and that the online\r\nregistration system should be back online in a few days. \r\n\"The vaccination campaign won't stop! In yesterday's day, 50 thousand vaccines were administered, despite the biggest\r\ncyber attack suffered,\" the region stated on Facebook.\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at\r\n+16469613731 or on Wire at @lawrenceabrams-bc.\r\nPossible RansomEXX ransomware attack\r\nToday, sources have told BleepingComputer that the cyber attack on Lazio was conducted by a ransomware operation\r\nknown as RansomEXX.\r\nIn a redacted ransom note shared from the attack on Lazio, the threat actors state, \"Hello, Lazio!\" and warn the region that\r\ntheir files were encrypted. The ransom note also includes a link to a private dark web page that Lazio can use to negotiate\r\nwith the ransomware gang.\r\nAlleged Lazio ransom note\r\nThe ransom note does not state what operation conducted the attack but the ONION URL listed is a known Tor site for the\r\nRansomEXX operation.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/\r\nPage 3 of 5\n\nBleepingComputer also received a screenshot of the negotiation page warning that the region must pay a ransom to decrypt\r\ntheir files. The threat actors gave no ransom demand.\r\nRansomEXX negotiation pages are unique per victim, and if the threat actors stole data during the attack, the threat actors\r\nprovide details on the page, including the amount of data stolen and screenshots of files.\r\nIn this case, the negotiation page showed no indications that RansomEXX stole any data.\r\nUpdate: After posting our article, Italian security researcher JAMESWT stated that there is evidence in Italy that the attack\r\nwas conducted by LockBit 2.0 but could not share further information.\r\nBleepingComputer will update this article when more information becomes available.\r\nWho is RansomEXX\r\nThe RansomEXX gang launched their operation originally under the name Defray in 2018. However, in June 2020, the\r\noperation rebranded as RansomEXX where it began to target large corporate entities more actively.\r\nSimilar to other ransomware operations, RansomEXX will breach a network using vulnerabilities or stolen credentials.\r\nOnce the threat actors gain access to a network, they quietly spread through the network while stealing unencrypted files for\r\nextortion attempts.\r\nAfter gaining access to the Windows domain controller, they deploy the ransomware on the network to encrypt all devices.\r\nThe RansomEXX gang has a history of high-profile attacks, including Brazil's government networks, the Texas Department\r\nof Transportation (TxDOT), Konica Minolta, IPG Photonics, and Ecuador's CNT. \r\nUpdate 8/3/21: Added information about it possibly being LockBit 2.0.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/"
	],
	"report_names": [
		"ransomware-attack-hits-italys-lazio-region-affects-covid-19-site"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434434,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cace1319a0d4a75a91080c74266e339f861446e1.pdf",
		"text": "https://archive.orkl.eu/cace1319a0d4a75a91080c74266e339f861446e1.txt",
		"img": "https://archive.orkl.eu/cace1319a0d4a75a91080c74266e339f861446e1.jpg"
	}
}