Louise Ferrett, Threat Intelligence Analyst at Searchlight Security

On Monday (August 1), the ransomware gang LockBit released the files from its latest attack on its dark web site. The files were originally advertised as belonging to the Italian Revenue Agency (Agenzia delle Entrate), who LockBit claimed was their most recent victim. 

However, the Agency has denied that it had been attacked and subsequent evidence from the dark web seems to confirm that they were not the victim at all. Dark web intelligence sheds some light on the truth of this latest activity from LockBit:

LockBit Claims the Italian Revenue Agency is their Latest Victim

On July 25, 2022, LockBit added a new post to their dark web site, claiming to have stolen 100GB of data from the Italian Revenue Agency including company documents, scans, financial reports, and contracts. The group put a deadline of August 1 for publication, and shared screenshots of the files to prove their authenticity. In this case, however, all was not as it seemed.

The Agency quickly put out a statement saying that it had asked Sogei SPA, a public company owned by the Ministry of Economy and Finance that manages the technological infrastructure of the financial administration, to investigate whether it had been breached. A Sogei SPA spokesperson confirmed late on Monday 25 that no signs of a cyberattack or data breach were found in initial checks.

Where Was The Data Really From?

An examination of both the sample screenshots shared by LockBit and the files that were published by the gang once the deadline expired highlighted the name Gesis, an accountancy firm in Agrate Brianza, which was the real victim of the breach. Gesis has since released a statement confirming that the files originated from one of its servers.

The story is further complicated by the fact that Gesis is linked to Studio Teruzzi, another Italian accountancy firm. Both are located in the Agrate Brianza area of Lombardy, some search results list Studio Teruzzi’s name as “Studio Teruzzi Commercialisti Gesis”, and Gesis’ key principal is listed as Giovanni Teruzzi in online business directories. One day after the LockBit post, a different ransomware group - LV - claimed to have compromised Studio Teruzzi.

It is currently not completely clear that the two attacks are related, although it certainly seems likely. If that is the case, it is unusual for two ransomware groups to claim the same victim at the same time. While it is not unheard of for one gang to piggy-back on another’s exploits by reposting previously stolen data, in this instance it seems unlikely because LV claimed the breach before LockBit published the Gesis data and shared completely different sample screenshots in their ransom post.

LockBit works on an affiliate model, with a representative of the group recently claiming that it had over 100 people involved in its Ransomware-as-a-Service scheme. Therefore, a potential explanation is that an affiliate of both gangs has tried to maximize the profits from the same initial data breach, sharing different screenshots with each. Another is that LockBit and LV are connected in a more meaningful way, which raises its own set of questions, including why they would draw attention to this relationship by publishing attacks that can be traced back to each other.

Why Did LockBit Misattribute the Data?

The question remains as to why LockBit falsely claimed that the data had come from the Italian Revenue Agency. It is worth noting that, if it was a deliberate attempt to misrepresent the data and extort money out of the Italian Government, it wouldn’t be the first time LockBit had been economical with the truth. The ransomware gang has previously falsely claimed that it had compromised Mandiant, after the cybersecurity company wrote an unfavorable report on the group that linked it to EvilCorp.

Another possible explanation is that this was a mistake resulting from the complexity of running an affiliate program. It is possible that the affiliate responsible for the attack misidentified the victim and LockBit simply failed to catch the error before listing it on its dark web site. After all, the published files do contain references to the Italian Revenue Agency, although these appear to be in the context of Gesis and its clients' interactions with it rather than documents belonging to the Agency itself. This might be the source of the confusion.

The consequence of this case of mistaken victim identity is a ransom unpaid, and an accountancy firm’s data leaked. It demonstrates how LockBit’s activity has shown no signs of slowing since the latest version of its ransomware - LockBit 3.0 - was released in June. While it also speaks to the difficulties of managing a large cybercrime affiliate program, the primary takeaway is that for LockBit - and likely many of its peers - rapid speed and volume of attacks, rather than accuracy, is the name of the game.