Hive attacks Trenitalia and Ferrovie dello Stato

Incident Date:

March 24, 2022

World map



Hive attacks Trenitalia and Ferrovie dello Stato


Trenitalia and Ferrovie dello Stato




Roma, Italy

, Italy

First Reported

March 24, 2022

Hive Ransomware Gang Attacks Italian Railway Network

The Hive ransomware gang has attacked Trenitalia and Ferrovie dello Stato. Sales systems of Trenitalia and Ferrovie dello Stato, including self-service machines and ticket offices at stations, experienced a disruption on the morning of March 23, rendering them non-functional. The reason behind this disruption was the deliberate shutdown of a portion of the ticketing network by the company. This action was taken to address a targeted ransomware attack aimed at the Italian railway network infrastructure managed by Rfi, a subsidiary of the company.

Details of the Attack

What we know so far is that Ferrovie fell victim to a type of malicious software called cryptolocker, which encrypts data and demands a ransom in exchange for a decryption key. Initially, there were speculations that Russian actors were responsible for the attack, according to a source close to security authorities. However, at present, there is insufficient evidence to determine attribution, as stated by Ivano Gabrielli, the director of the Postal Police's National Cybercrime Center for the Protection of Critical Infrastructures (Cnaipic).

Cnaipic is collaborating with the recently established National Cybersecurity Agency (Acn) to address the breach and conduct a thorough analysis. Gabrielli emphasizes that, at this stage, they are treating the incident as a case of computer crime. Roberto Baldoni, the director of Acn, also affirms the criminal nature of the attack in an interview with Corriere della Sera.

Investigation and Response

The primary theory under investigation suggests that the Hive ransomware group is responsible for the breach, based on trading chats published on the Italian website Redhotcyber, which have been subsequently corroborated by sources involved in the investigation. As a precautionary measure, certain unrelated areas have been isolated. Ferrovie has announced that other online systems are functioning normally and they are working to restore sales operations at the stations as soon as possible.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.