Unpicking the Truth Behind LockBit’s Latest Exploits in Italy

What’s the story?

On Monday (August 1), the ransomware gang LockBit released the files from its latest attack on its dark web site. The files were originally advertised as belonging to the Italian Revenue Agency (Agenzia delle Entrate), who LockBit claimed was their most recent victim. 

However, the Agency has denied that it had been attacked and subsequent evidence from the dark web seems to confirm that they were not the victim at all. Dark web intelligence sheds some light on the truth of this latest activity from LockBit:

LockBit Claims the Italian Revenue Agency is their Latest Victim

On July 25, 2022, LockBit added a new post to their dark web site, claiming to have stolen 100GB of data from the Italian Revenue Agency including company documents, scans, financial reports, and contracts. The group put a deadline of August 1 for publication, and shared screenshots of the files to prove their authenticity. In this case, however, all was not as it seemed.

The Agency quickly put out a statement saying that it had asked Sogei SPA, a public company owned by the Ministry of Economy and Finance that manages the technological infrastructure of the financial administration, to investigate whether it had been breached. A Sogei SPA spokesperson confirmed late on Monday 25 that no signs of a cyberattack or data breach were found in initial checks.

Where was the data really from?

An examination of both the sample screenshots shared by LockBit and the files that were published by the gang once the deadline expired highlighted the name Gesis, an accountancy firm in Agrate Brianza, which was the real victim of the breach. Gesis has since released a statement confirming that the files originated from one of its servers.

The story is further complicated by the fact that Gesis is linked to Studio Teruzzi, another Italian accountancy firm. Both are located in the Agrate Brianza area of Lombardy, some search results list Studio Teruzzi’s name as “Studio Teruzzi Commercialisti Gesis”, and Gesis’ key principal is listed as Giovanni Teruzzi in online business directories. One day after the LockBit post, a different ransomware group – LV – claimed to have compromised Studio Teruzzi.

It is currently not completely clear that the two attacks are related, although it certainly seems likely. If that is the case, it is unusual for two ransomware groups to claim the same victim at the same time. While it is not unheard of for one gang to piggy-back on another’s exploits by reposting previously stolen data, in this instance it seems unlikely because LV claimed the breach before LockBit published the Gesis data and shared completely different sample screenshots in their ransom post.

LockBit works on an affiliate model, with a representative of the group recently claiming that it had over 100 people involved in its Ransomware-as-a-Service scheme. Therefore, a potential explanation is that an affiliate of both gangs has tried to maximize the profits from the same initial data breach, sharing different screenshots with each. Another is that LockBit and LV are connected in a more meaningful way, which raises its own set of questions, including why they would draw attention to this relationship by publishing attacks that can be traced back to each other.