COVID-19 vaccine portal for Italy's Lazio region hit with cyberattack

UPDATE: Sources told BleepingComputer on Tuesday that the attack was perpetrated by the RansomEXX ransomware group, which previously hit Konica Minolta and other government organizations.
Written by Jonathan Greig, Contributor

The government of Lazio, Italy took to Facebook this weekend to notify residents of a cyberattack that hit the region's portal for COVID-19 vaccinations and other IT systems. 

In a translation of the message posted to the official Lazio government Facebook page, officials said a "powerful" attack had hit the region's databases on Sunday and that all systems are disabled, including the Salute Lazio portal and the system that managed the COVID-19 vaccine bookings.

They added that vaccination operations may experience delays because of the attack. Government officials did not say if it was a ransomware attack. 

Nicola Zingaretti, president of the Lazio Region, also took to Facebook to let residents know that they still have not identified the people behind the attack but he noted that the attack was "of criminal origin."

Zingaretti explained that the initial attack took place on Saturday night into Sunday morning and that it "blocked almost all of the files in the data center." 

"At the moment the system is shut down to allow internal verification and to prevent the spread of the virus introduced with the attack. LazioCrea informs us that health data is safe, as well as financial and budget data," Zingaretti said. 

"We are migrating essential services to external clouds to make them operational as soon as possible. 112, 118, Emergency Department, Transfusion Center and Civil Protection are safe and are providing services regularly. The situation is serious and we immediately alerted the Postal Police and the highest levels of the State, which we thank."

He later told a press conference that the region was facing an attack "of a terrorist nature" and called it a criminal offensive that is "the most serious that has ever occurred" on Italian territory.

"The attacks are still taking place. The situation is very serious," he said, according to ANSA. A source told the news outlet that the cyberattackers gained access to the system using the profile of an administrator. 

Through the stolen profile, they were able to activate a "crypto-locker" malware that "encrypted the data on the system," the sources said. CNN reported that local officials have received a ransom demand. 


Lazio Region president Nicola Zingaretti visits a local hospital after the cyberattack. 

Screenshot of Nicola Zingaretti's Facebook page

In subsequent messages, Zingaretti touted officials in Lazio that continued the COVID-19 vaccination drive in spite of the attack. He announced that the region reached a milestone of having 70% of the adult population vaccinated. 

Lazio region's health manager Alessio D'Amato told Reuters that the attack was "very serious" and that "everything is out." A state news agency said prosecutors in Rome and other law enforcement bodies are looking into the attack.  

The local government used Facebook to update residents about the COVID-19 situation in the region and said that due to the IT systems being down, they were only able to share data about new COVID-19 positive cases, deaths and hospitalizations. 

Even though most IT systems were offline, some had been restored, including emergency networks, time-dependent networks, and hospital systems. The local government reiterated that the vaccination drives would continue in spite of the attack. 

"The vaccination campaign won't stop! Yesterday, 50,000 vaccines were administered, despite the biggest cyberattack suffered. Until August 13th, there are over 500,000 citizens who have their reservation and can go to the administration centers on the date and time indicated above," government officials wrote on Facebook. 

"Technicians are working to safely reactivate new bookings as well and no data has been stolen. We're in constant contact with the commissioner's structure to ensure vaccination users have a green pass as usual."

In another message, Lazio officials reiterated that the hacker failed to stop the Lazio vaccination campaign.

"We will not stop in the face of this attack," the officials wrote. 

Throughout the COVID-19 pandemic, cybercriminals routinely attacked hospitals and healthcare facilities with ransomware knowing they would be more likely to pay ransoms due to the need for lifesaving medical technology.

Multiple countries, like Ireland and New Zealand, are still in the process of recovering from devastating ransomware attacks that crippled their hospital IT systems for weeks. 

UPDATE: Sources have told BleepingComputer on Tuesday that the attack was perpetrated by the RansomEXX ransomware group, which previously hit Konica Minolta, the Texas Department of TransportationKonica Minolta, US government contractor Tyler TechnologiesMontreal's public transportation system, and Brazil's court system (STJ).

The group made waves last year after becoming the first major Windows ransomware strain to be ported to Linux to aid in targeted intrusions.

Bleeping Computer obtained a copy of the ransom note where the people behind RansomEXX demand government officials in Lazio pay an undisclosed ransom. There is still no indication that data was stolen from any of Lazio's systems. 

Editorial standards