Cyber Incident Victim: STIM Group

On or around June 6, 2023, the Italian company STIM Group was listed on the data leak site (DLS) operated by the LockBit ransomware gang. The cybercriminal group publicly claimed responsibility for a cyberattack against the organization, initiating their standard countdown timer. The timer was set to expire on June 26, 2023, at 12:01:27 UTC, which was the deadline for the threatened publication of the exfiltrated data. This public shaming tactic is a core component of LockBit's double extortion model, designed to pressure victims into paying a ransom by threatening to release sensitive information even if they choose not to pay for a decryption key. The public announcement on the DLS served as the primary method for applying this pressure against STIM Group.

To substantiate their claim and demonstrate the severity of the breach, LockBit published samples of the data they had allegedly stolen from STIM Group's IT infrastructure. These samples included highly sensitive personal information, specifically scanned copies of identification documents such as health cards and passports belonging to individuals associated with the company. Furthermore, the published evidence included financial information and project-related documents, indicating that a wide variety of corporate data was accessed and copied. The attackers also provided a screenshot displaying directory structures containing the stolen files, which they claimed amounted to a total of 13.8 gigabytes of data. This public display of proof is a common strategy used by ransomware groups to convince victims of the legitimacy of their threats and to encourage payment.

STIM Group is an Italian company that specializes in designing and building high-technology plants for the industrialization of products and innovative processes, with a particular focus on the food sector. The company supports clients from the initial feasibility study stages through to design, prototype construction, and the creation of unique process plants and production lines. Its operations also extend into the electrical and mechanical engineering sectors, routine and extraordinary maintenance of production units, and industrial software and automation. The nature of its work suggests it handles sensitive client project data, proprietary industrial designs, and internal financial documents, all of which were potentially at risk following the data exfiltration. At the time of the initial report, there was no public confirmation of the cyberattack from STIM Group itself, leaving the full scope of the intrusion and the company's internal response unclear.

The attack was attributed to LockBit 3.0, the latest iteration of the ransomware operation at that time. LockBit operates on a ransomware-as-a-service (RaaS) model, though with variations that differentiate it from a typical affiliate structure. In this model, core developers maintain the ransomware code and infrastructure, while affiliated attackers carry out the actual intrusions. The proceeds from any ransom payments are split between the developers and the affiliates, with the attacking affiliates receiving up to three-quarters of the funds. LockBit 3.0 introduced several new features to its platform to further monetize its attacks beyond the traditional ransom for decryption. These included the ability for a victim to pay to extend the publication countdown timer, to pay for the complete destruction of all exfiltrated information, and to pay for exclusive download access to their own stolen data at any time. Payment for these services was demanded in Bitcoin or Monero cryptocurrency.

The incident had immediate consequences for STIM Group, primarily the risk of severe reputational damage and potential regulatory fines should the sensitive personal information of employees or clients be publicly released. The exposure of project details and financial data could also undermine its competitive position and breach confidentiality agreements with its clients. The operational impact of any encryption within its networks was not detailed in the available information, but the primary focus of the public reporting was on the data theft and extortion threat. The company faced the difficult decision of whether to engage with the criminals, attempt to restore systems from backups, or pursue other mitigation strategies, all under the pressure of a public deadline.

LockBit has a significant history of targeting organizations in Italy across all its variants, impacting both public and private sector entities. The group, which began operations in September 2019 under the name ABCD before rebranding to LockBit, is considered by authorities to be part of the LockerGoga and MegaCortex malware families, meaning it shares behaviors with these established forms of targeted ransomware and has self-propagating capabilities once executed inside a network. The attack on STIM Group fits the established pattern of LockBit conducting highly targeted attacks against businesses and organizations worldwide. The group's longevity and constant evolution, from LockBit 2.0 to the more feature-rich LockBit 3.0 platform, demonstrate its persistent threat to the global cybersecurity landscape. The public listing of STIM Group on the DLS was another data point in this ongoing criminal campaign.