Cyber Incident Victim: NoEscape
Date:
Jun 2023
Location:
Italy
Summary
The NoEscape ransomware group claimed responsibility for an attack against Italian financial services firm CreditTeam, exfiltrating approximately 121GB of sensitive data including confidential company documents, client financial records, passport details, and credit card information. The attackers threatened to publish the stolen data, which also impacted approximately 100 associated businesses linked to CreditTeam, unless undisclosed demands were met. The compromised information encompassed fiscal records, credit agreements, and proprietary corporate data, posing significant risks of financial fraud and identity theft for affected individuals and entities. At the time of reporting, the victim organization had not publicly acknowledged the incident or released an official statement regarding the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 25, 2023, the NoEscape ransomware group claimed responsibility for a cyberattack targeting CreditTeam, an Italian financial services company specializing in subsidized finance, credit intermediation, and fiscal incentives for SMEs and professionals. The group announced the breach on its darknet Data Leak Site (DLS), asserting it had exfiltrated 12GB of sensitive data from CreditTeam’s IT infrastructure. NoEscape threatened to publish the stolen data within eight days, displaying a countdown timer set to expire on July 3 at 18:34. The compromised data reportedly included confidential financial records, tax documents, credit agreements, client passports, and corporate credit card details belonging to CreditTeam and its customers. Attackers emphasized possession of data from approximately 100 additional companies that had conducted business with CreditTeam, listing domains such as ambrosini.it, combustibilicereda.it, capoferri.it, eredibaitelli.it, and bontempiimpiantipec.it as examples. They warned of severe reputational and operational consequences for both CreditTeam and these third-party entities if ransom demands were not met.
The incident exposed highly sensitive client information, including personally identifiable information (PII) and financial data, escalating risks of identity theft and financial fraud for affected individuals. NoEscape’s post highlighted the inclusion of business owners’ passport scans and credit card specifics, urging victims to file police reports preemptively. At the time of the article’s publication on June 26, CreditTeam had not issued a public statement acknowledging the breach or detailing mitigation efforts. The attackers operated under a ransomware-as-a-service (RaaS) model, employing double extortion tactics by combining data encryption threats with the leverage of leaking stolen information. The absence of confirmed restoration efforts or communication from CreditTeam left the full operational and financial impacts unverified, though the scale of compromised intercompany financial documents suggested potential cascading disruptions across CreditTeam’s client network.