Cyber Incident Victim: Moncaro
Date:
Mar 2025
Location:
Italy
Summary
Moncaro suffered a severe cyberattack paralyzing its computer systems for an extended period. The malware infection, suspected to be ransomware, blocked all eight externally managed servers, rendering critical business data inaccessible including client, supplier, financial, and administrative archives. Email systems were also disabled, forcing employees to use personal accounts. Only locally stored payroll software remained functional. This disruption occurred while the cooperative was already under government-appointed administration due to financial difficulties, though no ransom demand was received.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 10, 2025, it was reported that the Moncaro wine cooperative, based in Montecarotto, Italy, had been targeted by hackers in a cyber attack. The attack, which likely occurred over the preceding weekend when offices were empty, resulted in the complete blockage of all computer systems at the cooperative's headquarters. This paralysis had persisted for 19 consecutive days, rendering employees unable to access essential data and archives necessary for daily operations. Specifically, eight servers managed by an external multinational company were entirely blocked by malware, identified as ransomware. This malicious software is believed to have infected the systems after a compromised file was downloaded. Despite Moncaro's known financial vulnerability and the external management of its servers, cybersecurity measures were reportedly not neglected. The attack effectively halted access to critical information, including client and supplier details, commercial archives, banking records, and administrative data. Email systems were also non-functional, forcing employees to resort to using personal email addresses for communication; this workaround inadvertently led to the news of the attack becoming public knowledge. The sole operational software was the payroll program, which remained functional because it and its associated archive had been downloaded onto the memory of one specific company computer. As of the reporting date, no ransom demand had been received by the cooperative.
Moncaro, described as the largest wine cooperative in the Marche region, was already in a precarious financial state prior to the attack. It had been under compulsory administrative liquidation since January 2025 and had been placed under commissionership by the Ministry of Enterprises and Made in Italy since October 2024, facing a deficit of 38 million euros. The cyber attack significantly disrupted its operations during this critical period. Theories regarding the attack's origin emerged: one suggested involvement by well-prepared foreign hackers, potentially Russian, targeting Moncaro due to its commercial ties with Ukraine, Russia, and Balkan countries, possibly as part of a broader campaign against European businesses, banks, and institutional sites. An alternative hypothesis proposed that the attack might have been a deliberate action intended to impede the work and investigation of the ministerial commissioner overseeing the cooperative's liquidation. The incident caused widespread operational paralysis, severely hindering the cooperative's ability to function amidst its existing financial and administrative challenges.