Cyber Incident Victim: Lucchini Group
Date:
Dec 2022
Location:
Italy
Summary
The Lucchini Group, an Italian metal manufacturing company, suffered a ransomware attack by the Bl00dy gang, which encrypted its servers and issued a seven-day ransom deadline via Telegram. The attackers warned against independent recovery attempts, claiming backdoor infections could cause permanent data loss, and demanded payment for decryption tools. Bl00dy, described as an offshoot of LockBit leveraging its leaked malware builder, utilized evolving tactics by switching ransomware variants to avoid detection while incorporating functionalities from multiple malware families. The incident highlighted operational disruptions and potential data integrity risks stemming from the encryption and persistent network compromises.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 4, 2022, the Bl00dy ransomware gang publicly claimed responsibility for a cyberattack against Italian metal manufacturing company Lucchini Group through a Telegram channel post. The attackers declared they had compromised the company’s network, encrypted all servers using their ransomware, and implanted backdoors throughout the infrastructure. Their message, written in Italian and English, demanded negotiations within seven days, threatening permanent data loss if victims attempted independent file recovery. The gang instructed Lucchini to contact them via email for decryption tools, which they claimed would be provided upon ransom payment. Bl00dy specifically warned that restoration attempts without their involvement would irrevocably damage files due to the persistent backdoor infections.
Bl00dy, first identified in September 2022, was characterized as a "son of LockBit" due to its use of LockBit’s leaked ransomware builder to develop its own malware variant. The group appended the .bl00dy extension to encrypted files and frequently altered its malware strains to evade detection while retaining functionalities from multiple ransomware families. Lucchini RS S.p.A., the targeted entity, is a major Italian industrial firm specializing in metal production and railway component manufacturing. No technical details regarding Lucchini’s detection methods, containment procedures, or operational/financial impacts were disclosed in the gang’s announcement or subsequent public reporting. The company’s response to the attack and the ultimate resolution of the incident remained unconfirmed in available sources.