On Thursday afternoon, the management of the Lazio Region announced that it had managed to recover a backup (i.e. a safety copy) of the data from the regional database, blocked after suffering a serious hacker attack that a few days ago had interrupted all its digital activities, including the booking and management system for the coronavirus vaccination campaign. The backup should allow you to restore your data and restart most of your activities, although the dynamics of how the recovery took place is still not entirely clear.
– Read also: Six answers on the cyber attack on the Lazio Region
The news was given by the President of the Region, Nicola Zingaretti, who said that the backup was recovered thanks to a “latest generation system, protected by hardware”, and which contains updated data up to 30 July, therefore up to the day before the attack, which began on the night between 1 and 2 August.
Last week the Lazio Region was hit by an attack with “ransomware”, a malicious software that blocks the victim's data and systems with the aim of obtaining a ransom (ransom, in English) to unlock them. The attack had blocked all digital services in the region, creating considerable damage especially to the vaccination campaign, whose booking system was only restored on Thursday. In most attacks of this type, it is usually nearly impossible to recover data blocked by hackers unless you pay a ransom. This time, however, Zingaretti announced, the Lazio Region would have succeeded.
The very generic announcement by Zingaretti (in particular the part on “hardware protection” is not very clear) was specified by Corrado Giustozzi, an IT security expert who works for AGID, the government agency that deals with innovation and development of digital services, and which in recent days has collaborated with the technicians of the Region. Giustozzi wrote on Facebook and Twitter that the data was obtained without the ransom payment “by recovering the backups on the Virtual Tape Library that had not been encrypted but only deleted by the attackers to make them unavailable”.
I gladly confirm that the Lazio Region has recovered the data without a ransom payment. Not by decrypting the data but by recovering the backups that were not encrypted but only deleted. But working at a low level, the LazioCrea technicians recovered everything.
– Corrado Giustozzi ???????????????? (@cgiustozzi) August 5, 2021
In practice, when the hackers had entered the systems of the Lazio Region instead of encrypting one of the backup systems (a practice that would have blocked access) they would have limited themselves to canceling it. The technicians of the Region then recovered this deleted backup with a “difficult and complex” job, wrote Giustozzi, which made it possible to recover all the data updated as of July 30.
Repubblica then added further details to this reconstruction, saying that the backup system was purchased in 2019 by a US company, without specifying which one.
The announcement of the data recovery is rather surprising, because it is very rare that the cybercriminal groups carrying out ransomware attacks are so careless that they leave the victims the possibility to recover the data without paying the ransom. It also contradicts at least in part the communications of the previous days. After the attack, in fact, the authorities had said that the data backup had been encrypted, that is, blocked by hackers, and not deleted.
It was something that had said, among others, the councilor for health of the Lazio Region, Alessio D'Amato, and the Minister of the Interior, Luciana Lamorgese. Lamorgese, in a hearing before COPASIR, even predicted that the complete recovery of the data could take years, rather than a few days as it seems to have happened.
In any case, in complex IT systems such as that of the Lazio Region there are numerous backup systems, and therefore, although rare, it is not impossible that at least one of these has allowed the recovery of the data.
To understand precisely how the recovery took place, it will be necessary for the Region to publish a more detailed explanation. Giustozzi wrote on Facebook that more “technical details” on the recovery operation will be provided “when the time comes”.
