Cyber Incident Victim: Laboratoire NUXE Paris
Date:
Jan 2023
Location:
France
Summary
A French cosmetics company was targeted by the Lockbit 3.0 ransomware group, which claimed theft of 29 GB of sensitive data including laboratory analyses and demanded a $350,000 cryptocurrency ransom to prevent public release. The attackers published a sample of the allegedly stolen files alongside a 13-day countdown. The victim confirmed a cyberattack affecting certain applications but stated immediate response efforts restored functionality promptly. An investigation involving cybersecurity experts was launched alongside a legal complaint. Lockbit, known for encrypting data and extorting victims through double-extortion tactics, was noted for occasionally making unsubstantiated attack claims despite being one of the most active ransomware gangs at the time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around January 1, 2023, the Lockbit 3.0 ransomware group, identified as russophone hackers, claimed responsibility for a cyberattack against French cosmetics company Laboratoire Nuxe Paris. The attackers asserted they exfiltrated 29 gigabytes of sensitive data, equivalent to approximately 16,000 files, from Nuxe's systems. They published a sample of allegedly stolen documents on their dark web blog, which included laboratory analyses of a cosmetic product developed by the company. Lockbit demanded a ransom payment of $350,000 in cryptocurrency, threatening to release the full dataset unless paid within a 13-day countdown period. Nuxe confirmed experiencing a cyberattack affecting unspecified software applications but stated immediate team mobilization restored system availability promptly. The company filed a formal legal complaint and initiated an investigation with specialized cybersecurity experts to determine the attack's origin.
Lockbit 3.0 operated by infiltrating victim systems, stealing data before encrypting files, and extorting payment for data deletion or repurchase. The group monetized their ransomware-as-a-service model by leasing their encryption software to affiliates in exchange for a percentage of extorted funds. While Nuxe did not publicly confirm data encryption or operational disruption beyond affected applicatifs, Lockbit's standard tactics included threatening data publication if victims refused payment or utilized backups. The attackers hosted negotiations and data leak threats on their dark web platform. Security analysts noted Lockbit's status as the most active hacking group at the time, though cautioned about their history of baseless claims, including an unsubstantiated attack against France's Ministry of Justice. The published data sample suggested compromise of product development information, but Nuxe did not disclose additional impacts on operations, customers, or financial systems.