The LockBit ransomware crew is claiming to have stolen 78GB of data from Italy’s tax agency and is threatening to leak it if a ransom isn’t paid by July 31.

The notorious gang put a notice on its dark-web site adding the agency – the Agenzia delle Entrate – to its growing list of victims. According to LockBit, the data stolen includes documents, financial reports, and contracts.

The Euro nation’s police are investigating the alleged security breach, which was revealed Monday by Pierguido Iezzi, CEO of Swascan, the cybersecurity unit of business services company Tinexta Group, according to Italian media.

In a brief press release, the Italy Revenue Agency – essentially the country’s equivalent to America’s IRS and the UK’s HMRC – said it had asked Sogei SPA, a state-owned company that manages the tax agency’s IT infrastructure, for “feedback and clarifications” in the wake of reports of an intrusion.

However, Sogei told Bloomberg in a statement that an initial investigation by the company found no signs of a cyberattack or a data breach.

If information was stolen, the tax agency would only be the latest in an expanding list of victims of LockBit. According to cybersecurity vendor Digital Shadows, LockBit was one of the most active ransomware group in the second quarter, accounting for 32.77 percent of all incidents where victim organizations were posted to ransomware leak sites.

LockBit, which has been active since 2019, also made headlines in June with the release of LockBit 3.0, the latest version of its ransomware. A key change was the introduction of a bug bounty program, with the threat group offering rewards ranging from $1,000 to $1 million to individuals who find exploits, personal data on potential victims, information on high-value targets, or ideas for improving the operation.

LockBit also created new dark web sites for LockBit 3.0 and said that it is now accepting Zcash cryptocurrency for payment, allowing anyone to buy the stolen data, and offering victims the chance to pay the group to destroy the data. They also can pay to extend the deadline for paying the ransom by another day.

The notice on LockBit’s dark web site says the Italian tax agency was attacked by LockBit 3.0.

Digital Shadows said the release of LockBit 3.0 could juice ransomware activity in Q3. When LockBit released an improved version in July 2021, it dominated the ransomware threat landscape. LockBit 3.0 could do the same this time around, the researchers wrote.

“The new programs and features released by LockBit could also inspire other groups to follow in their footsteps, depending on the success of their new offerings,” they wrote. “However, the group’s attempts at auctioning off the data are unlikely to be successful, as we have seen other groups such as REvil attempting similar tactics in the past without much success.”

The threat group and its attack on the tax agency are examples of the evolution of ransomware away from encrypting files and demand a ransom in return for a key to decrypt the data. Ransomware groups increasingly are more likely to steal the data and extort the victim with the threat of publishing the data. It’s creating a new threat category of “extortion groups.”

Digital Shadows in its report wrote that it monitors 88 data-leak sites every day from both ransomware and extortion groups. The cybersecurity vendor said that in Q2, there were 705 organizations listed on the ransomware data-leak sites, a 21.1 percent increase over the first quarter. This was due to greater activity by many ransomware groups, including LockBit, which had a 13.8 percent quarter-over-quarter increase. ®