Cyber Incident Victim: Cassa Nazionale di Previdenza ed Assistenza Ragionieri e Periti Commerciali
Date:
Feb 2023
Location:
Italy
Summary
The Italian National Welfare and Assistance Fund for Accountants and Commercial Experts suffered a ransomware attack by the LockBit 3.0 group, leading to system encryption and data exfiltration. The attackers demanded $400,000 for data deletion and offered daily countdown extensions for $1,000, threatening to release stolen confidential information—including contracts, personal data, and financial records—if unpaid. Services were temporarily disrupted, requiring password resets for user accounts upon restoration. The organization publicly attributed operational issues to an unspecified "unforeseen system blockage" without acknowledging the cyberattack, while LockBit published samples of exfiltrated data to escalate pressure for ransom payment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 5, 2023, the Italian organization Cassa Nazionale di Previdenza ed Assistenza Ragionieri e Periti Commerciali (CNPR) experienced a ransomware attack attributed to the LockBit 3.0 cybercriminal group. The attackers compromised CNPR's IT infrastructure, encrypting systems and exfiltrating sensitive data. LockBit subsequently listed CNPR on its data leak site (DLS) on February 13, initiating a 10-day countdown—set to expire on February 23 at 15:26 UTC—threatening to publish stolen data unless ransom demands were met. The group demanded $400,000 for complete data deletion and offered a $1,000 per day extension to the countdown timer. LockBit claimed possession of extensive confidential information including private correspondence, client/partner contracts, personal data, financial records, accounting documents, and other unspecified business-critical materials. To substantiate their claims and increase pressure, the group published samples of exfiltrated data on their DLS.
CNPR responded to the incident by temporarily suspending affected services while working to restore operations. By February 13, the organization announced via a website banner that all IT services had been reactivated, including the Pagonline contribution payment platform accessible through member portals. The public statement described the disruption as an "unpredictable system blockage now resolved," avoiding explicit acknowledgment of a cyberattack. CNPR mandated password resets for all users accessing reserved areas after February 5 and advised following login instructions for credential updates. The toll-free helpline (800 814 601) resumed operations on February 14, operating weekdays from 9:30 AM to 1:00 PM. Service restoration efforts prioritized realigning operational activities, though the organization acknowledged ongoing work to fully normalize all functions. The attack caused measurable service disruptions, including temporary unavailability of digital payment systems and member portals during the containment period. LockBit's DLS post emphasized the scale of data compromise while CNPR's communications focused exclusively on service recovery without addressing the ransomware group's assertions or the potential exposure of sensitive information.