UPDATE 3.23.2022 at 11.30 pm
The blocking of the IT network that controls the ticket offices and self-services of Italian railway stations is the work of the ransomware group HiveLeaks, this is what emerges from a recent article in Corriere della Sera.
From the chat screen shots published on the newspaper’s online site, you can read the messages of the ransomware group with the request for a ransom of 5 million dollars in bitcoin for the decryption of the files, the payment must be completed – it says – within 72 hours. After this deadline, the redemption price will be doubled.
The decryption of the files, writes Hive in a message, will take place only when RFI has loaded a file with the .key extension in a section of the chat, usually present in C:\ or root “shared fiolder”.
According to a spokesman for RFI (Rete Ferroviaria Italia) no ransom request would have arrived from cybercriminals.
From the early hours of this morning the network that controls the ticket offices and self-services has been shut down as a precaution, no inconvenience for travelers who decide to buy their tickets through the online platform.
A Russian hacker group would be hiding behind the ransomware-type cyber attack, at least this would seem after the first investigations carried out by IT technicians, even if making this hypothesis now seems completely premature.
The decision to shut down all the sales terminals was taken to prevent the ransomware from spreading over the entire computer network that manages ticket offices and self-services, but also those in the company offices with the consequent disservice for the traveling staff and the one present on station platforms.
At the moment the IT technicians of the Ferrovie dello Stato (FS) are carrying out further checks within the IT networks with the help of the Postal Police.
FS in a statement stated that
“As a precaution, some users of Trenitalia’s physical sales systems have been deactivated. It is currently not possible to purchase travel tickets at the ticket offices and self-service stations in the stations, while it is possible to do so through online sales”.
The note from the FS continues by explaining that it is currently possible that some delays may also occur on the reservations of the services of the Blue Rooms of RFI for this reason travelers are allowed to board the trains and present themselves to the conductor to purchase the ticket without the surcharge. FS would like to point out that the hacker attack is not having any effect on normal railway traffic.