Cyber Incident Victim: Alf DaFrè
Date:
Feb 2025
Location:
Italy
Summary
A Venetian furniture manufacturer employing 350 workers suffered a ransomware attack that encrypted approximately 15% of its IT systems, forcing a complete production halt. The attackers demanded cryptocurrency to restore access, but the company refused payment and disconnected its systems to contain the damage. Despite having a recent backup, recovery efforts exceeded initial estimates of 36-48 hours, leading to extended operational paralysis. The prolonged disruption compelled the organization to seek government wage support for idled staff, with only partial workforce reactivation achieved after over a week. Cybersecurity investments by the victim proved insufficient to prevent the incident, reflecting a broader trend of threat actors increasingly targeting small-to-medium enterprises alongside critical infrastructure sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night between February 10 and 11, 2025, cybercriminals infiltrated the servers of Alf DaFrè, a furniture manufacturing company based in Treviso province, Italy. The attackers deployed ransomware that compromised approximately 15% of the company’s IT infrastructure within minutes, specifically targeting the production management server. This malicious software encrypted critical operational data, rendering production systems inoperable. Following the encryption, the criminals demanded a ransom payment in cryptocurrency to restore access. Alf DaFrè immediately reported the incident to the Postal Police and refused to negotiate with or pay the attackers. As a containment measure, the company powered down its entire IT network to isolate the compromised systems and protect unaffected data repositories. Initial assessments indicated the attack utilized ransomware designed to exfiltrate and block access to business-critical information for extortion purposes. Despite having a backup updated to the evening before the attack, technical staff determined recovery would require significantly more time than the initially projected 36-48 hours. The company’s two production facilities in Cordignano and Francenigo di Gaiarine ceased all manufacturing operations following the system shutdown.
The operational paralysis lasted eight consecutive days, forcing Alf DaFrè to request state-funded temporary layoff support (cassa integrazione) from INPS for its 350 employees due to the unforeseen production stoppage. Most workers remained idle during this period, with only a limited number gradually returning to partial operations in subsequent days. Management coordinated this workforce decision in consultation with labor unions, citing the cyberattack as an abrupt and unavoidable disruption under Italian labor regulations. The incident marked a continuation of ransomware campaigns increasingly targeting small-to-medium enterprises, contrary to earlier perceptions that primarily large corporations faced such risks. FILCA CISL union representative Roberto Martini noted Alf DaFrè had invested substantially in cybersecurity prior to the attack, though these measures proved insufficient against this intrusion. The attack’s aftermath highlighted sector-wide vulnerabilities, with historical parallels to ransomware incidents affecting healthcare providers and energy companies—entities similarly pressured to pay ransoms to avoid prolonged service interruptions. No data theft or secondary demands beyond the initial cryptocurrency ransom were reported in this case. Production machinery remained physically intact but inoperable due to the server encryption and precautionary IT shutdown.