LockBit ransomware gang says it breached Italy's Internal Revenue Service, threatens to leak stolen data

The notorious LockBit ransomware gang is claiming to have stolen as much as 100 GB of data from the servers of Italy’s Internal Revenue Service (L’Agenzia delle Entrate).

In an official statement published on its website, Italy’s Internal Revenue Service (L’Agenzia delle Entrate) has revealed that it is looking into the alleged data breach and has requested Sogei (Società Generale d’Informatica) SpA, a public company owned by the Ministry of Economy and Finance, for more information on this matter.

SOGEI SPA, a public company wholly owned by the Ministry of Economy and Finance and responsible for managing the technological infrastructures of the financial administration, has denied all claims of a ransomware attack on the Italian tax agency.

"With regard to the alleged cyber attack on the tax information system, Sogei spa informs that from the first analyses carried out, no cyber attacks have occurred nor have data been stolen from platforms and technological infrastructures of the Financial Administration. From the technical investigations carried out, Sogei, therefore, excludes that a cyber attack on the site of the Revenue Agency," the company said.

Meanwhile, the notorious LockBit ransomware gang has listed Agenzia delle Entrate on its list of victims and claims to have stolen 100 GB of data. According to the group’s claims, the stolen data includes company documents, scans, financial reports, and contracts which it threatens to publish if a ransom isn’t paid by August 1.

Interestingly, LockBit also victimised a local town council in Canada last week and has given the town until 30th July to pay a ransom, failing which it would publish 67 GB of data stolen from the town’s servers.

Commenting on the alleged targeting of Italy’s IRS, Javvad Malik, the Lead Security Awareness Advocate at KnowBe4, said, “This is an example of the ever-increasing move from traditional ransomware to double and triple extortion, whereby criminals will steal data from the victim organisation and leverage the stolen data for additional payments.

“What often gets overlooked in these stories are the fundamental questions of how criminals got into organisations, how were they able to move around undetected and exfiltrate large quantities of data, often over a long period of time?

“When we examine the root causes, we frequently find that criminals will take advantage of unpatched software, weak credentials, or social engineer their way into victims’ environments. After that, the lack of monitoring and threat detection controls allows criminals to move around the network at will.

“While the huge impact such acts have is undeniable, if organisations took a few fundamental steps by training staff, implementing strong credentials (MFA), patched vulnerable systems, and had some monitoring controls in place they could greatly reduce the overall risk," he added.