Skip to main content


You are here:

Italian ransomware attack highlights bad patch management

A major ransomware attack Sunday kicked the majority of Italians off of the internet before administrators were able to restore service. Italy’s National Cybersecurity Agency, ACN, said the attackers targeted a known vulnerability in VMware’s ESXi servers. VMware encouraged customers to install patches. If it feels like you’ve heard this story before, that’s because you probably have. In fact, you’re forgiven for thinking this feels like Groundhog Day. That’s because the vulnerability was first detected almost two years ago, and the Canadian Centre for Cyber Security issued its first security advisory – known as AV21-093 – on February 24, 2021. The Canadian cybersecurity agency issued a second advisory, AV22-689, on December 9, 2022.


The newest attack impacted servers across Italy. At its peak, traffic was reduced to 26% of normal levels across the country. Servers in France, Finland, the United States, and Canada were also affected. The French cybersecurity agency, ANSSI, which issued the first alert on Friday, warned of continuing attacks against vulnerable servers in the days to come, and reiterated its guidance to administrators to patch their affected systems.

So, in case we’re keeping score, here’s where we’re at:

  • VMware identified a weakness in its products 2 years ago.
  • The company released a security update almost immediately, along with an advisory letting customers know they needed to download and install it.
  • National cybersecurity agencies in Canada, the U.S., and elsewhere issued similar advisories and linked to the VMware download.
  • 22 months later, VMware issued another advisory – meaning not everyone had applied the update.
  • Within weeks, the yet-to-be-identified cybercriminals behind this attack pounced. They knew about the weakness, knew that large numbers of servers in Italy and elsewhere had not yet applied the update, and they targeted the weakest links in much the same way lions go after the weakest prey.

In short, this attack happened because the easy fix was ignored on a shockingly large scale. Whoever was responsible for the affected servers in the affected countries failed to download and apply a small piece of free software. In doing so, they left the virtual front door wide open for a couple of years.

This isn’t an exercise in finding fault. We get it: IT isn’t easy. And the cybersecurity competency is even harder to figure out. The threat landscape continues to intensify just as demands from the business – whatever business that happens to be – become more complex and mission-critical.

Worse, the techies must keep the lights on while simultaneously keeping the bad guys at bay – at a time when IT budgets are being increasingly scrutinized amid overall pullbacks in business spending.

The pandemic has pushed IT to, and sometimes beyond, the limit, forcing it to support virtual and hybrid workforces, deploy sophisticated customer-facing e-commerce capabilities, and wrestle with economic uncertainty and supply chain mayhem. In the rush to keep the lights on throughout the pandemic, established protocols and best practices may have been skipped along the way – leaving the organizations they serve dangerously exposed. 


Cybersecurity, for too long, has been a difficult line item to justify in the budget. Like insurance, we tend to ignore its importance until we’ve been digitally compromised. Even still, it is becoming even more of a tough sell. Unlike the shiny new piece of hardware or the massive new building, cybersecurity doesn’t generate the same kind of visceral excitement among those who pay the bills.

Data from JumpCloud reinforces the uphill climb IT now faces, with 44% of IT professionals reporting their organizations will reduce their cybersecurity spending in 2023. Three-quarters of respondents say these cuts will put their organizations at greater risk, and just over half – 58%, say their current security position has worsened over the past year.

They say all this is largely due to the tight labor market, inflation, recessionary fears, and global conflict. Which is likely plausible – but is hardly an appropriate excuse. The sad reality for IT leaders is stark: reduced cybersecurity spending provides the perfect fuel for an explosion in cybercriminal activity. Cutting corners on cybersecurity preparedness is the worst kind of IT math that could very well destroy the business. 


As cybersecurity spending falls behind fast-evolving and expanding needs, IT professionals are left to do their best to keep up. More often than not they manage to keep everything together, often through the sheer forces of creativity and will. But sometimes they end up dropping the ball on mundane operations like security patches and updates. And this global-scale attack is a perfect example of what happens when they fail to keep up.

Applying security fixes in a timely manner slams the door on opportunistic attacks like the one that darkened Italy for much of the day. As ever, human nature, more than any one technology, is what makes us more vulnerable than we need to be. It also explains why attacks seem to be getting bigger, more damaging, and more frequent: because cybercriminals are getting better at identifying who isn’t keeping up and are learning how to choose the most opportunistic targets for ever more impactful cyberattacks. 


The Italian ransomware attack should sound the alarm across all geographies – as well as all governments, corporate leaders, and regular folks alike – that cybersecurity has been an underserved competency for too long.

As organizations continue to evaluate their technology priorities amid an ever-shifting economic landscape, they must examine their cybersecurity spending priorities through a new and more urgent lens. Shaving cybersecurity budgets won’t represent much of a saving after a successful ransomware breach brings the organization to its knees and permanently damages its brand.

The Italian attack proves this risk is more real now than it’s ever been.  And we can start by double-checking whether or not we’ve applied every outstanding security patch and fix. It’s the least we can do.