Cyber Incident Victim: Rovagnati

On or around July 22, 2022, Italian cured meats producer Rovagnati suffered a ransomware attack claimed by the Russian cybercriminal group Lockbit. The group publicly asserted responsibility on its data leak site, where it posted samples of internal company documents as evidence of the breach’s success. Lockbit issued a ransom demand, typically payable in cryptocurrency, for data decryption and deletion. The attackers imposed a two-week deadline for negotiations before threatening to publish the stolen data. Ransomware attacks of this nature encrypt organizational data, rendering systems inaccessible until payment is made or decryption keys are obtained through alternative means. Failure to comply with ransom demands often leads to the exposure of exfiltrated sensitive information, a tactic Lockbit employed in prior incidents targeting Italian municipalities.

Lockbit likely gained initial access through unpatched vulnerabilities in internet-exposed servers, inadequately secured VPN systems, or compromised credentials, though phishing emails containing malicious links or attachments remained another potential vector. Upon infiltration, the group executed lateral movement techniques to expand access across Rovagnati’s network, targeting additional machines and administrative accounts. This enabled data exfiltration to Lockbit-controlled servers prior to the encryption of on-premises systems, paralyzing operations. The published document samples confirmed data theft, aligning with Lockbit’s established pattern of pressuring victims via dual extortion—combining system lockdowns with threats of confidential data leaks. No details regarding Rovagnati’s internal response, payment decisions, or system restoration timelines were disclosed in available reporting.