Italy investigating ransomware attack on tax agency

Prolific ransomware group LockBit added Italy's tax agency to its list of victims this weekend, but the company investigating the alleged attack said Monday there was no evidence of a breach.

L'Agenzia delle Entrate did not respond to requests for comment but released a statement on Monday saying it asked Sogei, an IT company owned by the Ministry of Economy and Finance, to investigate the alleged ransomware attack. 

Sogei then released a lengthy statement saying that, after analyzing the incident, "no cyberattacks have occurred or data stolen from the financial administration's technological platforms and infrastructures."

The organization said it was working with Italy's National Cybersecurity Agency and the Postal Police to support "the ongoing investigations."


LockBit claimed to have stolen 78 GB of data and gave the agency about six days to respond before the information is leaked. The ransomware group then extended the deadline to August 1 and claimed it now had 100 GB worth of data. 

The gang also provided several screenshots of what it allegedly stole. 

LockBit, a ransomware-as-a-service operation that began in 2019, overtook Conti in June as the most prolific ransomware group in terms of publicly claimed victims.

The group recently rebranded and launched attacks on a small town in Colorado, French mobile phone network La Poste Mobile, a Foxconn factory, a Canadian fighter jet training company, and a popular German library service.

The ransomware gang took credit for more than 50 ransomware incidents in June, bringing its total victim count to 903, according to data collected by Recorded Future from extortion sites, government agencies, news reports, hacking forums, and other sources.

Several ransomware experts, including Intel 471 Director of Intelligence Brad Crompton, have raised concerns about members of the recently disbanded ransomware group Conti joining gangs like LockBit.

“Given that former Conti actors or affiliates have branched out to some of the most active RaaS groups currently operating, the threat is serious,” Crompton said. 

“Conti had some skilled operators along the various steps of a ransomware attack. By integrating those people into their own schemes, other RaaS groups like LockBit 3.0 or ALPHV only grow stronger.”


Ransomware gang statistics for June 2022.

Just as Conti, in its last confirmed attack, targeted the government of Costa Rica as it was transitioning between presidents, LockBit's alleged attack coincides with the resignation of Italian Prime Minister Mario Draghi last week, which threw the government into turmoil. 

In recent months the country has been targeted by several ransomware groups, which attacked a hospital in Milan, the city government of Palermo, the Italian Banking Association and more. 

In August 2021, the RansomEXX gang attacked and shut down the government of Lazio's portal for COVID-19 vaccinations and other IT systems.

In May, the websites of Italy’s parliament, military and National Institute of Health faced disruptions by a pro-Russian hacking group.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.