On the morning of March 23rd, all the Trenitalia and RFI ticket offices and self-service machines were found to be unusable, causing inconvenience to thousands of people who rely on them every day to buy their train tickets. The cause of these inefficiencies is the same that interrupted the information services of the Lazio Region last summer: a ransomware attack.
The incident began on Tuesday 22 March night and the Italian company immediately gave the order to turn off the computer terminals of the offices throughout the country, causing multiple problems to the tablet devices of all staff members on board the trains and within the stations. Consequently, the Postal Police authorities were promptly informed.
In a note, Ferrovie Dello Stato informed that “As a precaution, some of Trenitalia’s physical sales systems have been deactivated. Therefore, it is temporarily not possible to buy travel tickets in the ticket offices and self-service stations in the stations, while the online sale is still functioning”.
Who is involved?
At first, all the attention was directed to the East and in particular to a Russian nation-state attack, due to the previous declarations of the Italian Prime Minister Mario Draghi in support of the Ukrainian nation and condemnation of the Russian invasion.
Subsequently, it was leaked on several sources that the attacker seems to be the Hive group, a Russian-based cybergang with Bulgarian affiliates that operates according to the logic of Ransomware-as-a-service. The group is already known in Italy due to previous attacks on MediaWorld and an ASL in the Veneto region. We can therefore assume that behind the Ransomware attack on RFI there is a criminal group that is not ideologically deployed but operates for economic reasons.
Professor Baldoni, director of the Agenzia della Cybersicurezza Nazionale (ACN), recently reported: “No to the psychosis of the attack linked to the war in Ukraine. Here there is a criminal motivation, as elsewhere. […] We are faced with a hacker attack similar to others that have hit companies and infrastructures in Italy in recent times. The Agency was created precisely to increase their resilience capacity, especially when relevant actors, such as the railways, are affected “.
Furthermore, the credentials to the channel for the confidential negotiation between the attackers and RFI were leaked on several Telegram groups, leading unauthorized users to access the negotiation and offer 1 euro as a ransom payment to the attackers.
(leaked conversation between unauthorized users and Hive group)
The attacking group subsequently requested the payment of a ransom equal to 5 million euros in Bitcoin. There is still no possibility of knowing whether the Italian transport company has made the payment of the ransom, however most service inefficiencies were resolved within 48 hours, during which RFI returned to operate through the deployment of a large number of staff in the stations to assist passengers buying their train tickets and with megaphones that signaled the arrival and departure of trains at the station.
Some final considerations
According to the Unit 42 Ransomware Threat Report by the threat intelligence team of Palo Alto Networks, Italy is the fourth country in Europe for ransomware attacks with constantly growing trends both in the number of attacks carried out and in the sums required for the ransom.
Based on these numbers, we can only reflect on an increasingly necessary regulatory response by Italian and European institutions: the only way to reverse the increasing trend in ransomware attacks is to make the payment of ransom illegal by any organization. Only by interrupting the sources of financing of cybercriminal groups, we could observe the extinction of this type of attack in the future, as it similarly happened in Italy during the kidnapping period: with the 1993 law that blocked the personal property of hostage families to avoid payments to criminals, the phenomenon promptly decreased until it was extinguished.
Author: Giovanni Recchi