Ransomware group targets Italian tax agency

LockBit, one of the most prolific ransomware operations, claims to have 100GB of data from the agency.
Italian government building
A view of the main facade of the Palazzo Chigi in Rome. (Photo by Giorgio Cosulich/Getty Images)

Italian authorities are investigating the theft of roughly 78 gigabytes of data stolen from Italy’s tax agency, l’Agenzia delle Entrate, the Italian news agency ANSA reported Monday.

Earlier Monday, LockBit 3.0, one of the most active and prolific ransomware groups going, posted a notice to its website claiming it had stolen “100GB: company documents, scans, financial reports, contracts” from the agency, along with six screenshots purporting to show a sample of the files.

Notice posted to the LockBit 2.0 website July 25, 2022.

A message posted to the agency’s website said that it had “immediately requested feedback and clarifications from SOGEI SPA,” the publicly owned IT company “which manages the technological infrastructures of the financial administration and is carrying out all the necessary checks,” according to a Google translation.


The agency later appended a message to the original that said that an initial analysis found no indications that a cyberattack occurred, “not has data been stolen” from the agency, according to a Google translation. Nevertheless, the statement continued, the investigation remains ongoing.

LockBit 3.0 first emerged as a distinct ransomware-as-a-service variant in September 2019 as the ABCD ransomware and has since evolved several times. It’s grown to become perhaps the most active group in the space. As of May, the group accounted for 46 percent of all ransomware-related breach events in 2022, and had racked up more than 850 victims around the world, Palo Alto Networks’ Unit 42 reported in June.

Experts have warned in the past that LockBit has previously made grand claims that turned out to be bogus, or have claimed information stolen from one entity was actually data from another entity.

Update, 7/26/22: to include the modified statement denying an attack occurred.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts