Cyber Incident Victim: Ermenegildo Zegna Group
Date:
Aug 2021
Location:
Italy
Summary
The Ermenegildo Zegna Group, a major global menswear brand, suffered a ransomware attack by the RansomEXX group resulting in data theft and leakage. Attackers exfiltrated approximately 20.74GB of corporate data comprising 43 compressed archives before publicly releasing the stolen information. The incident impacted the luxury fashion house known for its extensive international retail operations and export-focused business model. RansomEXX, a ransomware operation targeting both Windows systems and VMware ESXi servers, had previously compromised entities including a regional Italian government's COVID-19 vaccination infrastructure and a Taiwanese hardware manufacturer. The breach exposed sensitive organizational documents but did not disrupt the company's publicly reported revenue streams.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 6, 2021, the RansomEXX ransomware group publicly claimed responsibility for a cyberattack against Ermenegildo Zegna Group, the Italian luxury fashion house and world’s largest menswear brand by revenue. The attackers exfiltrated approximately 20.74 gigabytes of data from the company’s systems before leaking 43 compressed archives containing the stolen information. The leaked data consisted of 42 archives each sized at 500 megabytes and one additional archive containing 239.54 megabytes of documents. RansomEXX typically employs double-extortion tactics by stealing sensitive data prior to encrypting victim systems, though the prompt materials do not specify whether Zegna’s operational systems were encrypted during this incident. The fashion house, which reported €1.159 billion in revenue for 2018 and operates 480 global retail stores with exports constituting over 90% of sales, faced potential exposure of business documents and intellectual property through this data leak. No public statements from Zegna regarding incident response, ransom negotiations, or system recovery processes were documented in the source material at the time of reporting.
The attack occurred during an active operational period for RansomEXX, a ransomware operation originally active under the name Defray since 2018 before rebranding in June 2020. The group specializes in targeting both Windows systems and VMware ESXi virtualized environments, suggesting possible infrastructure vulnerabilities in Zegna’s IT architecture. This incident followed RansomEXX’s June 2021 attack against Italy’s Lazio regional government, which disrupted COVID-19 vaccination scheduling systems, and preceded their August 2021 breach of Taiwanese hardware manufacturer GIGABYTE involving 112 gigabytes of stolen data. The consecutive high-profile attacks demonstrated the group’s continued focus on large enterprises and critical infrastructure entities. While the full operational impact on Zegna’s manufacturing, retail operations, and supply chain remained unspecified in available sources, the confirmed theft and leakage of corporate data created immediate reputational and potential regulatory risks for the luxury brand. The absence of documented containment measures or forensic findings in source materials limits further technical analysis of the intrusion timeline or recovery actions undertaken by the organization.