Cyber Incident Victim: Oralia
Date:
Apr 2022
Location:
France
Summary
A real estate management company experienced a ransomware attack claimed by the previously unknown Black Basta group, which exfiltrated approximately 60 GB of compressed data including customer identification documents and internal system information. The attackers employed double extortion tactics by encrypting systems after stealing sensitive personal and financial data, threatening potential public disclosure. Orange Cyber Defense assisted in identifying the ransomware variant and entry point, while the parent company confirmed isolation of affected servers to prevent network propagation. Critical systems were temporarily paralyzed, though email functionality was restored within days. The incident prompted warnings to customers about data transmission risks due to potential identity fraud exposure from compromised tenant records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 20, 2022, Oralia, a French real estate management firm and subsidiary of Nexity, detected a cyberattack on its network. The company promptly notified clients via email, disclosing the incident and implementing security measures to contain potential propagation and misuse of compromised data. Oralia's website displayed a banner indicating its online client portal was inaccessible, while phone inquiries to local agencies confirmed widespread paralysis of its core information systems. By April 22, email functionality had been partially restored. In a follow-up communication, CEO Karine Olivier revealed that Orange Cyber Defense had been engaged for forensic support and stated the attack's origin had been "very rapidly identified," with evidence showing threat actors had encrypted certain data—strongly indicating ransomware involvement. Though the specific ransomware variant remained undisclosed, the warnings against transmitting sensitive data via email and references to encryption suggested perpetrators likely employed double extortion tactics, combining data theft with system encryption to pressure payment.
Nexity's communications director confirmed on April 25 that Oralia's servers were isolated from Nexity's infrastructure, eliminating concerns about lateral movement to the parent company. Orange Cyber Defense identified both the ransomware strain and initial attack vector, though these details were not publicly disclosed. Recovery operations commenced immediately after the April 20 detonation. On April 27, the previously unknown Black Basta ransomware group claimed responsibility via their leak site, publishing samples including identity documents, internal corporate files, and a partial network map highlighting Oralia's virtualized environment. The group asserted possession of approximately 60GB of compressed stolen data. The breach exposed sensitive client information typical of property managers—identity records, financial documents, and tax details—elevating risks of identity fraud for affected individuals. Oralia, managing 183,000 properties with 700 employees across 37 subsidiaries, reported €75 million annual revenue prior to the incident. Forensic investigations continued to determine the full scope of data exfiltration while restoration efforts progressed.