Cyber Incident Victim: AD Consulting
Date:
Aug 2022
Location:
Italy
Summary
An Italian consulting firm specializing in digital innovation services with multiple subsidiaries and over 100 employees fell victim to a BlackCat (ALPHV) ransomware attack. The attackers exfiltrated personal data from the organization's IT infrastructure and posted samples on their leak site, though no formal communications or ransom demands were initially visible. The incident involved double extortion tactics, threatening data publication unless payment was made. BlackCat ransomware employs Rust-based code and operates under a Ransomware-as-a-Service model, targeting Windows, Linux, and VMWare systems while offering affiliates up to 90% of extorted funds. The attack disrupted operations for the firm, which provides consulting, software engineering, startup services, and SME solutions across its branches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 5, 2022, the Italian consulting firm AD Consulting became a confirmed victim of a BlackCat/ALPHV ransomware attack. The threat actors compromised the organization’s IT infrastructure, exfiltrating sensitive personal data before deploying ransomware to encrypt systems. BlackCat subsequently published samples of the stolen data on its dedicated data leak site (DLS) as proof of the breach, though no formal ransom note or communication appeared alongside the initial leak post. AD Consulting, a group with four Italian offices and over 100 employees, provides digital transformation consulting and managed services through subsidiaries specializing in software engineering (Euei), startup support (scaleU), SME application solutions (Marp), and smart innovation projects (Intent-Tech). The operational disruption impacted multiple business units within the corporate structure, though the specific affected systems (Windows, Linux, or VMWare environments) were not detailed in public disclosures.
BlackCat employed its characteristic double-extortion model, combining data encryption with threats to publish stolen information unless a ransom was paid. The ransomware, written in Rust for cross-platform compatibility, operated under a Ransomware-as-a-Service (RaaS) framework that allowed affiliates to retain up to 90% of extorted funds. While the exact ransom demand and payment status remained undisclosed, the presence of exfiltrated data samples on the DLS indicated successful data theft prior to encryption. No containment measures, incident response actions, or forensic findings from AD Consulting were publicly confirmed at the time of reporting. Cybersecurity monitor RedHotCyber noted it would track developments, and the company offered to provide statements through official channels upon request. The incident exposed operational vulnerabilities and created reputational risks stemming from the potential exposure of client or employee personal data held within AD Consulting’s infrastructure.