Cyber Incident Victim: Dollmar S.p.A.
Date:
Oct 2022
Location:
Italy
Summary
The Italian chemical distribution company Dollmar S.p.A. suffered a ransomware attack by the Ragnar Locker group, which exfiltrated and publicly released approximately 35GB of sensitive data after the firm refused to pay the ransom. Attackers exploited network vulnerabilities, likely through compromised Remote Desktop Protocol (RDP) access, and deployed double extortion tactics—encrypting systems while threatening data leakage. The published information included internal documents verified via company letterhead samples. Ragnar Locker's methodology involved privilege escalation using known Windows vulnerabilities, virtual machine deployment to bypass security controls, and lateral movement across the network prior to data theft and encryption. The incident resulted in operational disruption and exposure of proprietary information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 19, 2022, Italian chemical distribution company Dollmar S.p.A. suffered a ransomware attack attributed to the Ragnar Locker cybercrime group. The attackers compromised Dollmar’s network by exploiting Remote Desktop Protocol (RDP) services, likely through brute-force attacks on weak passwords or using stolen credentials purchased from dark web sources. After initial access, Ragnar Locker conducted reconnaissance within the network and escalated privileges by exploiting vulnerabilities such as CVE-2017-0213 in Windows COM Aggregate Marshaler, enabling execution of arbitrary code with elevated permissions. To evade detection, the group deployed a Windows XP virtual machine (VM) image via VirtualBox, mapping all local drives to the VM. This allowed the ransomware process running inside the VM to encrypt files on the host system while appearing as a legitimate VirtualBox operation to security tools. The attackers then deleted volume shadow copies, disabled identified antivirus countermeasures, and used PowerShell scripts to move laterally across network resources before activating the ransomware payload.
Ragnar Locker exfiltrated approximately 35GB of sensitive company data prior to encryption, implementing a double-extortion strategy. When Dollmar refused to pay the ransom, the group published the entire dataset on its dark web leak site, making it publicly accessible via Tor. The leaked data included letterhead samples proving its authenticity. As a European leader distributing chemicals to pharmaceutical, plastics, paint, and mechanical industries, the breach exposed proprietary business information and potentially compromised client data. No operational disruptions were explicitly detailed, but the public data release created reputational risks and compliance concerns regarding data privacy obligations. The company did not issue public statements or confirm remediation efforts through available reports. Ragnar Locker justified the leak by claiming Dollmar’s management ignored prior warnings about vulnerabilities and data exposure risks. Security analysts confirmed the data’s accessibility to any Tor user without specialized skills, amplifying potential misuse. The incident highlighted Ragnar Locker’s established tactics since 2020, emphasizing their focus on critical infrastructure sectors and persistence in data leakage threats when ransoms remain unpaid.