Cyber Incident Victim: Tonoli
Date:
Feb 2023
Location:
Italy
Summary
The Italian transport company Tonoli suffered a ransomware attack by the LockBit 3.0 gang, which encrypted its systems and exfiltrated data. The attackers initiated an 11-day countdown threatening to publish the stolen information on their underground leak site unless a ransom was paid, employing double extortion tactics. LockBit highlighted Tonoli's logistics operations, including real-time fleet tracking and national/international transport services, as part of their leak site post. The incident disrupted critical infrastructure and risked exposure of sensitive operational data, consistent with LockBit's RaaS model where affiliates receive most ransom payments. The group has previously targeted multiple Italian organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 4, 2023, the Italian transport company Tonoli suffered a ransomware attack attributed to the LockBit 3.0 cybercriminal group. LockBit publicly claimed responsibility by posting a victim entry on its data leak site (DLS), initiating an 11-day countdown timer set to expire on February 14 at 23:27 UTC. The group threatened to publish stolen company data unless Tonoli paid an unspecified ransom, likely demanded in Bitcoin or Monero cryptocurrency. This announcement followed LockBit's standard extortion methodology of combining data encryption with threats of sensitive data exposure to pressure victims into compliance. The attackers exfiltrated operational data prior to deploying ransomware, though the exact scope of compromised systems remains undisclosed.
LockBit 3.0's infrastructure enabled additional coercive options beyond the initial deadline, including paid extensions to delay data publication, destruction of stolen records for a fee, or exclusive access to download exfiltrated data. Tonoli's specialized groupage transport operations, real-time satellite fleet monitoring systems, and national/international logistics networks were explicitly referenced in LockBit's DLS post, indicating reconnaissance of critical business functions. The incident disrupted Tonoli's IT infrastructure, potentially affecting transport coordination, client data management, and supply chain operations. No public statements from Tonoli regarding ransom negotiations, decryption success, or operational recovery timelines were reported. LockBit's affiliate-driven RaaS model meant attackers could receive up to 75% of any paid ransom, incentivizing aggressive targeting of mid-sized enterprises like Tonoli. Historical patterns with LockBit victims suggested significant recovery challenges, particularly if backups were compromised during the attack or decryption efforts failed post-payment. The public exposure of sensitive logistics data posed reputational and competitive risks to Tonoli's business relationships across Italy and the Iberian Peninsula.