Cyber Incident Victim: ALPA
Date:
Jul 2022
Location:
Italy
Summary
The Italian chemical company ALPA, specializing in leather production for high-end fashion and furnishings, fell victim to a LockBit 3.0 ransomware attack involving double extortion tactics. The threat actors encrypted systems and exfiltrated sensitive data, including user database samples, threatening to publish the stolen information unless a ransom was paid within a nine-day countdown. This incident marked LockBit 3.0's second attack against an Italian organization, following a prior compromise of multinational FAAC, demonstrating the group's continued targeting of regional entities through its ransomware-as-a-service model.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 6, 2022, the Italian chemical manufacturing company ALPA suffered a ransomware attack attributed to the LockBit 3.0 cybercriminal group. LockBit 3.0, an evolution of the earlier LockBit 2.0 ransomware-as-a-service (RaaS) operation, infiltrated ALPA's IT infrastructure, exfiltrated sensitive data, and encrypted systems. The attackers initiated a 9-day countdown timer set to expire on July 15 at 18:50 UTC, threatening to publish stolen data on their dark web leak site unless ALPA paid the ransom. This marked LockBit 3.0's second confirmed Italian victim following their attack on multinational company FAAC days earlier. ALPA, founded in 1957 by engineer Gualtiero Gualtieri and led by his daughter Gloria Gualtieri as CEO, specialized in leather treatment chemicals for luxury footwear, handbags, fashion accessories, and furniture manufacturing. The company operated production facilities in Santa Croce Sull'Arno, Solofra, Arzignano, and India.
LockBit actors published samples of exfiltrated data to pressure ALPA, including what appeared to be a user database table. The group employed double extortion tactics – demanding payment for both decryption keys and suppression of stolen data. LockBit 3.0 introduced new extortion options compared to previous versions: victims could pay additional fees to extend the publication deadline, permanently delete stolen data, or obtain exclusive download access to their leaked information. The ransomware operation followed a RaaS model where affiliates paid to use LockBit's tools and received up to 75% of ransom proceeds. Historical analysis indicated LockBit's lineage traced back to the ABCD ransomware first observed in September 2019, with rebranding to LockBit in 2020 and subsequent major version updates. The attack disrupted ALPA's operations, risking exposure of proprietary manufacturing data and sensitive business information critical to their high-end leather treatment processes. No public statements from ALPA regarding ransom payment decisions or operational recovery timelines were reported in the immediate aftermath. Cybersecurity monitoring services continued tracking potential data leaks as the July 15 deadline approached.