Cyber Incident Victim: Comacchio

On or around April 12, 2023, the Italian company Comacchio was the victim of a cyberattack claimed by the LockBit ransomware gang. The criminal group publicly announced the compromise on its data leak site (DLS), initiating its standard countdown timer for the public release of the company's stolen data. The deadline for this publication was set for May 2 at 12:20 UTC, giving the company approximately twenty days to meet the gang's demands before the data would be leaked. The primary leverage in the attack was the threat of double extortion, a tactic where attackers first exfiltrate sensitive data before encrypting systems, then demand a ransom to both decrypt the data and to prevent the public release of the stolen information.

LockBit provided evidence of the breach by publishing samples of the data it had exfiltrated from Comacchio's IT infrastructure. These samples were made available on its DLS as proof of the successful intrusion and to increase pressure on the company to pay. The published evidence included a scanned identity card, several invoices, and a selection of internal company documents. This public demonstration was a calculated move to validate the attack's success and to compel Comacchio into negotiations. The article did not specify the initial attack vector used to gain access, the specific ransom amount demanded, or whether any encryption of systems occurred alongside the data theft.

Comacchio S.r.l. is an Italian company with a significant history in the drilling equipment sector. Founded in 1986 by the Comacchio brothers, the company designs, assembles, and provides after-sales service for machinery and plants used in geotechnical engineering, foundations, tunneling, water wells, geothermal energy, and mineral exploration. The company's public-facing messaging emphasizes high standards of efficiency, quality, and customer satisfaction, portraying itself as a young, dynamic, and competitive professional organization. The attack directly threatened these operational pillars by jeopardizing the confidentiality of internal data and potentially disrupting business continuity.

The incident was part of a broader pattern of attacks by the LockBit group against Italian organizations, encompassing both public and private entities. LockBit operates on a Ransomware-as-a-Service (RaaS) model, which distinguishes it from a typical criminal affiliation structure. In this model, a core team develops and maintains the ransomware platform, while affiliated attackers pay to use it for customized attacks. The financial proceeds from any successful ransom payments are then split, with the affiliates receiving a large share, reportedly up to three-quarters of the total funds. This business model has allowed LockBit to become a persistent and evolving threat.

The version of the ransomware used in this attack was identified as LockBit 3.0. This iteration introduced several new features designed to further monetize attacks beyond the traditional ransom for decryption. These features were presented as additional services that a victim could purchase. One service allowed the victim to pay to extend the countdown timer delaying the publication of their data. Another option permitted the victim to pay for the complete destruction of all the exfiltrated information. A third service offered the victim the ability to download their own stolen data at any time. Each of these services carried a separate cost, and payments were to be made in Bitcoin or Monero cryptocurrency.

There was no information provided in the source article regarding Comacchio's immediate response to the attack. The article did not detail any official statements from the company, whether systems were taken offline for containment, if law enforcement was engaged, or if external cybersecurity experts were brought in for incident response and recovery. The public-facing website of Comacchio remained operational and displayed its standard promotional content, with no mention of the security incident, suggesting the company may not have publicly acknowledged the breach at that time. The cybersecurity news outlet Red Hot Cyber stated it would monitor the situation for developments and would publish any substantial updates or any official statement provided by Comacchio.

The potential impacts of the incident were significant given the nature of the data samples published by the attackers. The exposure of an identity card poses immediate privacy and identity theft risks for the individual employee involved. The leak of internal invoices could reveal sensitive financial information, including details about client relationships, pricing structures, and supplier agreements, which could harm the company's competitive standing. The publication of other internal documents could expose proprietary operational details, intellectual property, or other confidential business information. A full data leak could have resulted in reputational damage, loss of customer trust, and potential regulatory scrutiny under data protection laws like the GDPR.

The LockBit group itself has a long operational history, having evolved through several name and version changes since its inception in September 2019. It began as ABCD ransomware before rebranding to LockBit. It was later updated to LockBit .0 and then to LockBit 3.0 in June 2022. The group is considered by authorities to be part of the broader LockerGoga and MegaCortex malware families, meaning it shares behavioral characteristics with these established forms of targeted ransomware and possesses self-propagation capabilities once executed inside a network. The group also maintains a bug bounty program for its own infrastructure, purchases cryptocurrency, and manages a dedicated section for its affiliates, indicating a high degree of organization and sophistication.

The Comacchio attack exemplifies the continuing threat of ransomware to industrial and manufacturing sectors. For a company like Comacchio, whose business involves complex machinery and international clientele, any disruption to its IT systems or compromise of its design and operational data could have severe consequences for its production timelines and ability to service its customers. The attack highlighted the critical need for robust cybersecurity measures, including employee awareness training, comprehensive and isolated backup strategies, rigorous patch management, strict application control following the principle of least privilege, and the implementation of advanced protective measures such as Intrusion Prevention Systems (IPS), Web Application Firewalls (WAF), and extended detection and response (XDR) platforms, potentially supported by a managed detection and response (MDR) service. The overarching guidance from security professionals remains that organizations should not pay the ransom, as there is no guarantee of receiving a functional decryption key and doing so fuels the criminal enterprise for future attacks.