Cyber Incident Victim: Metronotte Vigilanza

On or around May 11, 2023, the LockBit ransomware operation publicly claimed responsibility for a cyberattack against the Italian company Metronotte Vigilanza. The group announced the attack on its dedicated Data Leak Site (DLS), which it uses to pressure victims by threatening to publish stolen data. The announcement included a countdown timer set to expire in twelve days, on May 24, 2023, at 00:21 UTC. This established a clear deadline for the victim company, after which LockBit threatened to release the exfiltrated data into the underground ecosystem.

The victim, Metronotte Vigilanza, is an Italian security firm that, according to its website, offers comprehensive security solutions for businesses, public entities, small retailers, and private individuals. The LockBit group supported its claim by publishing samples of the allegedly stolen data on its DLS. These samples were stated to include identification documents and contractual information, indicating that the attackers had successfully exfiltrated sensitive data from the company's IT infrastructure prior to deploying the ransomware. The publication of these samples served as proof of the breach and was a tactical move to incentivize the victim to engage in ransom negotiations.

LockBit is a well-established cybercriminal group that operates on a Ransomware-as-a-Service (RaaS) model. It began its operations in September 2019 under the name ABCD before rebranding to LockBit. The group has since evolved through several iterations, including LockBit 2.0 and, most recently, LockBit 3.0, which was introduced around June 2022. The group is considered by many authorities to be part of the LockerGoga and MegaCortex malware families, meaning it shares behaviors with these established forms of targeted ransomware and has the ability to self-propagate once executed within a network. In the RaaS model, affiliates pay to use the customized attack platform and conducting attacks on behalf of the core group. The ransom payments are then split between the LockBit development team and the attacking affiliates, with the affiliates receiving up to three-quarters of the funds.

The attack on Metronotte Vigilanza utilized the LockBit 3.0 variant. This version introduced several new features designed to further monetize the attacks beyond the simple ransom for a decryption key. These features, which were part of the pressure tactics employed against Metronotte Vigilanza, included the ability for a victim to pay to extend the countdown timer, to pay for the complete destruction of all exfiltrated information, and to pay for exclusive access to download their own stolen data. Each of these "services" carried a different cost and could be paid for using Bitcoin or Monero cryptocurrencies. The exact ransom amount demanded from Metronotte Vigilanza was not disclosed publicly, but it was noted that LockBit typically sets ransom demands commensurate with a victim company's revenue and the quantity and type of data acquired during the attack.

The incident exemplifies a double-extortion attack strategy, which has become a standard tactic for sophisticated ransomware groups. The first element is the encryption of critical data and systems, rendering them inaccessible to the organization and disrupting business operations. The second, and often more damaging, element is the theft of sensitive data prior to encryption. The attackers then threaten to publish this data, creating a separate set of risks including regulatory fines, reputational damage, and potential lawsuits from affected clients and partners. This dual-threat approach significantly increases the pressure on victims to pay the ransom.

The public claim on the Data Leak Site is a central component of LockBit's operational procedure. It serves to publicly shame the victim and increase the pressure to pay by making the breach known to clients, partners, and the wider public. The group uses this public platform to display victim names, set deadlines, and provide evidence of the data theft. For Metronotte Vigilanza, this meant the attack and the impending data release became a public matter from the moment LockBit posted its claim. The cybersecurity news blog Red Hot Cyber reported on the claim shortly after it appeared, noting it would monitor the situation for further substantive developments and was open to publishing any official statement from the company.

The immediate impact on Metronotte Vigilanza involved the encryption of its IT systems, which likely caused significant operational disruption to a company whose business is providing security services. The secondary impact stemmed from the confirmed exfiltration of sensitive data, including personal identification documents and private contractual information. The potential publication of this data posed a severe threat to the privacy of individuals and the confidentiality of business agreements involving the company. The company's response to the incident, including whether it engaged in negotiations or paid any ransom, was not detailed in the public reporting available. The long-term consequences would include potential regulatory scrutiny under data protection laws like the GDPR, costs associated with incident response and recovery, and potential reputational harm that could affect future business prospects.

The recovery process from a LockBit infection is described as being difficult and laborious, requiring highly specialized operators for reliable data recovery. Even with data backups, restoration is not always successful, especially if those backups are connected to the network and are also encrypted or compromised during the attack. The reporting emphasized that critical backups must be isolated from the network for optimal protection. The incident underscores the severe business impact of ransomware, which can deeply undermine a company's operations and financial stability. This case was noted as being part of a pattern, as the LockBit group had previously claimed numerous attacks against both public and private organizations within Italy across all three of its ransomware variants.