Lazio Region ransomware attack
A RansomEXX ransomware attack encrypted the datacenter of Italy's Lazio Region, knocking the COVID-19 vaccination booking portal offline for days and triggering a domestic terrorism investigation.
- Victim
- Regione Lazio
In the early hours of 1 August 2021, the Lazio Region โ the Italian administrative region surrounding Rome and home to nearly six million people โ suffered a RansomEXX ransomware attack that encrypted its central datacenter and knocked critical public services offline, most visibly the region's COVID-19 vaccination booking portal. It was one of the most disruptive public-sector cyberattacks in Italian history.
What happened
Overnight between 31 July and 1 August 2021, attackers deployed the RansomEXX ransomware against the Lazio Region's IT infrastructure, encrypting "almost every file in the datacenter," according to officials. The attack disabled the systems that citizens used to book COVID-19 vaccination appointments, suspending all new bookings at the height of Italy's vaccination campaign.
While most reporting attributed the attack to RansomEXX, at least one Italian security researcher claimed evidence linking it to LockBit 2.0 affiliates as well โ a reminder that ransomware operations frequently overlap. Regional president Nicola Zingaretti described the perpetrators as operating "from a foreign country," and Italian prosecutors opened a terrorism investigation, with the FBI and Interpol assisting.
Impact
- New COVID-19 vaccine bookings were suspended for several days; appointments already scheduled were honoured, but the disruption hit during a critical public-health window.
- A range of regional administrative IT services were rendered unavailable while the datacenter was rebuilt.
- The region stated that no sensitive personal data was exfiltrated, distinguishing this from double-extortion incidents.
- A temporary booking website was stood up by 5 August, with broader restoration progressing the following week.
Recovery and controversy
Crucially, the region was able to restore systems from backups that the attackers had not encrypted. This generated public controversy: officials had initially implied the backups were also encrypted, prompting speculation โ never substantiated โ that a ransom had been secretly paid. The region maintained it did not pay, and no evidence emerged to the contrary.
Why it matters
The Lazio attack demonstrated how ransomware against regional government can directly threaten public health and safety, not merely data confidentiality. By striking the vaccination booking system during a pandemic, the attackers turned an IT outage into a civil-protection emergency, justifying the extraordinary step of a terrorism investigation. The incident reinforced two lessons for the public sector: that offline, tested backups are the single most important ransomware control, and that critical citizen-facing services require resilient architectures capable of failing over quickly under attack.
Timeline
Overnight between 31 July and 1 August, attackers deploy RansomEXX against the Lazio Region's datacenter.
Region IT systems are encrypted; the COVID-19 vaccination booking portal goes offline, halting new appointments.
Italian authorities open a domestic terrorism investigation; the region declines to pay any ransom.
Officials state vaccination booking services will be restored within 72 hours.
A temporary vaccination booking website comes online while restoration continues.
Services are progressively restored from backups that were not encrypted by the attackers.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/
- aha.orghttps://www.aha.org/hc3-analyst-note/2021-08-06-hc3-tlp-white-analyst-note-ransomware-attack-covid-19-vaccination
- msspalert.comhttps://www.msspalert.com/news/ransomexx-hits-italy
- hhs.govhttps://www.hhs.gov/sites/default/files/lazio-ransomware-attack.pdf