Cyber Incident Victim: Trudi S.p.A.

On February 16, 2023, the LockBit ransomware gang publicly claimed responsibility for a cyberattack targeting Trudi S.p.A., an Italian manufacturer of plush toys under the Trudi and Sevi brands. The attackers posted a countdown timer on their dark web data leak site (DLS), threatening to publish stolen company data on March 4, 2023, at 4:35 UTC unless a ransom was paid. LockBit used version 3.0 of their ransomware, which employed double extortion tactics – encrypting systems to disrupt operations while simultaneously exfiltrating sensitive data to pressure payment. The group’s DLS post contained biographical details about Trudi’s corporate history, including its 1954 founding in Tarcento by Gertrud Müller and its 2019 acquisition by Giochi Preziosi group, suggesting they accessed internal documents. LockBit offered Trudi three payment options: an extension to the publication deadline, permanent destruction of stolen data, or exclusive download access to the exfiltrated files, with each service requiring separate cryptocurrency payments in Bitcoin or Monero.

Trudi S.p.A. faced operational paralysis from encrypted systems and reputational damage from the potential exposure of intellectual property and business data. The company’s recognition as an established brand with licensing partnerships made it an attractive target for extortion. No disclosure was provided regarding detected attack vectors, containment measures, decryption success, or ransom negotiation status. LockBit’s affiliate-based RaaS model allowed them to profit through negotiated ransom splits while outsourcing attack execution. Historical patterns with LockBit victims indicated potential data release if unmet demands persisted, though technical decryption failures sometimes occurred even after payment. The attack occurred amidst LockBit’s established pattern of targeting Italian organizations, aligning with their operational focus on European entities.