Cyber Incident Victim: Zucchetti Kos
Date:
Mar 2023
Location:
Italy
Summary
An Italian software company experienced a ransomware attack attributed to the Cl0p gang, resulting in the exfiltration and public release of sensitive data. Approximately 100GB of stolen information, including identity documents, employee contact details, and spreadsheets containing personal information, was made accessible through the group's data leak site. The attackers employed double extortion tactics by threatening data disclosure after initial encryption efforts. The incident exposed substantial volumes of corporate records, with the cybercriminal group publishing multiple download links to substantiate their claims without indicating whether ransom negotiations occurred.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 18, 2023, the Cl0p cybercrime gang publicly claimed responsibility for a cyberattack against Italian software company Zucchetti Kos through a post on their dedicated Data Leak Site (DLS). The group provided company details indicating approximately 225 employees and annual revenue of $42 million. Cl0p published approximately 160 separate download links containing purportedly stolen data from Zucchetti Kos's IT infrastructure. Each link corresponded to a 700MB file, totaling roughly 100GB of exfiltrated information according to evidentiary material released by the attackers. The available samples included identity documents, Excel spreadsheets containing employee names, email addresses, and telephone numbers alongside miscellaneous operational data. No formal acknowledgment or press release from Zucchetti Kos appeared on their corporate website at the time of the attack's public disclosure. Forensic analysis of the published datasets suggested extensive extraction of sensitive operational records beyond basic employee information though the specific systems compromised were not detailed in the leak announcement.
The incident followed the double extortion framework characteristic of ransomware operations where threat actors exfiltrate sensitive information before encrypting systems. While Cl0p did not explicitly mention deploying ransomware payloads against Zucchetti Kos, their establishment of hard-deadline timers for ransom negotiations aligned with known extortion tactics used against prior victims. The scale of published data indicated significant data harvesting preceding public disclosure suggesting prolonged network access prior to detection. Cl0p's operational methodology involved selective data leak warnings to coerce victims into negotiations avoiding full public distribution of stolen assets. The absence of immediate business continuity disruptions implied possible targeting of financial and personnel records rather than production infrastructure. No technical details regarding initial access vectors containment measures or incident response timelines were disclosed by either the attackers or Zucchetti Kos. Public exposure of employee identification documents and communications records increased legal liabilities and reputational risks for the organization including potential regulatory compliance implications under European data protection frameworks.