Executive Summary
On December 8, 2023, a ransomware attack targeted Westpole, a cloud service provider in Italy. The attack had a significant impact on PA Digitale, a subsidiary of the Italian government that manages digital payments and online public services.
As a result, the threat actors disrupted services for numerous public administrations and municipalities using the LockBit 3.0 ransomware variant.
The attack emphasises the evolving threat of ransomware, particularly the sophisticated tactics of LockBit, warranting increased caution.
What Happened
Westpole, a cloud service provider in Italy, fell victim to a ransomware attack on December 8, 2023.
Threat actors using LockBit ransomware carried out the attack.
PA Digitale, a customer of Westpole and a key player in digital services for public administration, providing services to 1300 public administrations, including 540 municipalities, was the primary target.
Consequently, the attack paralysed services and forced impacted entities to resort to manual operations. Some of the Italian media reported that the attack could interfere with the payments of December salaries to the employees at some of the impacted government organisations.
At this point, the Italian cybersecurity agency ACN is actively working on recovering data for affected organisations.
Response
In response to the incident, Westpole notified the privacy regulator, Garante della Privacy, and the Italian police, initiating an investigation into the cyber attack. The Italian cybersecurity agency ACN is working to recover data for more than 700 national and local public entities linked to PA Digitale.
In their official statement, the ACN reported successful data recovery for over 700 entities but highlighted the ongoing need for data recovery for approximately 1,000 public entities contractually linked to PA Digitale. The recovery activity aims to retrieve data dating back to the three days preceding the attack on December 8. Notably, the ACN’s efforts have mitigated the feared failure to pay December salaries, and the thirteenth salary to employees of some indirectly affected local administrations, according to information provided by PA Digitale.
However, challenges persist as reports indicate that Westpole has only managed to restore 50% of its systems, showcasing the slow and challenging nature of the recovery process. It is uncertain whether the company is capable of completely restoring the impacted systems. This uncertainty raises concerns about the ability of affected entities to provide services and fulfil obligations to employees.
Doubts persist about data security as LockBit 3.0 was involved, despite Westpole’s claim of no data exfiltration. The recovery status remains a focal point for both Westpole and the affected entities, emphasising the ongoing impact and challenges. Continuous communication from the involved parties about the incident and recovery efforts is crucial for transparency.
About LockBit
LockBit is a notorious ransomware variant that has been involved in numerous cyberattacks. It specifically targets enterprises across diverse industries and government organizations.
According to a CISA advisory, LockBit was the most deployed ransomware variant worldwide in 2022 and continues to be prolific in 2023. The LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model. Affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs).
Please refer to our news articles for recent notable attacks involving LockBit in addition to the ransomware attack in Italy.
Ransomware in 2023
Ransomware trends in 2023 reveal a notable increase in attacks. Double extortion tactics are on the rise, and the impact of ransomware is felt globally, with the United States being a prime target. Law enforcement actions, government regulations, international sanctions, and potential cryptocurrency regulation have forced ransomware adversaries to adjust their tactics. The LockBit gang’s activities align with these trends, adapting to technology changes and regulations.
These trends emphasise the critical need for robust cybersecurity measures and international collaboration to counter the escalating ransomware threat. The Westpole attack underscores the urgency for vigilance against evolving ransomware tactics, especially those employed by the likes of LockBit.
