Cyber Incident Victim: Errebielle

On or around April 4, 2023, the Italian company Errebielle S.r.l. became the victim of a ransomware attack claimed by the cybercriminal gang known as LockBit. Errebielle is a manufacturer specializing in the production of doors and furniture accessories, recognized for high-quality standards and operating in the market for over 25 years. The company operates from four production facilities totaling over 44,000 square meters, employs 200 people, and has a production capacity of 10,000 pieces per day. The attackers, operating under the LockBit 3.0 variant, publicly claimed the attack on their data leak site (DLS). Unlike their typical modus operandi, this particular attack did not initiate the usual countdown timer that pressures victims into paying a ransom before their data is published. Instead, LockBit immediately published samples of the exfiltrated data to prove the compromise and increase pressure on the organization.

The data samples published by LockBit were stated to contain approximately 34 to 35 gigabytes of information stolen from Errebielle's IT infrastructure. An analysis of these published samples revealed they contained a variety of sensitive company data, including contracts, health cards, bank statements, financial data, and amortization plans. The publication of these samples served as a demonstration of the severity of the breach and as a threat that the entirety of the stolen data would be released publicly if the ransom demands were not met. The attackers set specific monetary demands for their services. They demanded a payment of $150,000 for the complete deletion of all the stolen data. Additionally, they offered an option to extend a countdown for 24 hours for a fee of $10,000, though notably, the countdown mechanism itself was not active on the leak site, which was described as a technical error on the part of the affiliate managing the attack.

LockBit's operation follows a ransomware-as-a-service (RaaS) model. In this model, a core team develops the ransomware tools and infrastructure, which are then used by affiliated attackers who carry out the actual intrusions. The affiliates pay to use these customized attack tools and subsequently share a portion of the extorted ransom payments with the core developers. In the case of LockBit, the attacking affiliates can receive up to three-quarters of the ransom funds. The gang has evolved through several iterations, beginning as ABCD in September 2019 before rebranding to LockBit, then to LockBit 2.0, and finally introducing LockBit 3.0 in June 2021. The 3.0 variant introduced new features for monetization, including the ability for victims to pay to extend a countdown, pay for the destruction of all exfiltrated information, or pay to download their own stolen data at any time. The gang also operates a bug bounty program targeting its own infrastructure and accepts ransom payments in Bitcoin or Monero.

The attack on Errebielle represents another incident in a series of attacks by LockBit against Italian organizations, both public and private. The primary impact on Errebielle was the encryption of its data and systems, rendering them inaccessible and disrupting business operations. A more severe secondary impact, characteristic of double extortion tactics, was the theft and threatened publication of sensitive company information. The public exposure of samples containing financial records, contracts, and employee health information posed significant risks, including potential financial fraud, reputational damage, and violations of data privacy regulations. The company's public-facing website remained operational, displaying its standard corporate information without any mention of the cyber incident, indicating that business continuity communications were maintained externally while the internal incident response was likely underway.

The response actions taken by Errebielle were not detailed in the public reporting. Standard response procedures for such incidents typically involve engaging external cybersecurity experts for forensic analysis, notifying relevant data protection authorities as required by law, and assessing the feasibility of system restoration from backups. The article specifically notes that recovery from a ransomware infection can be a difficult and laborious process requiring highly specialized operators. Even in cases where backups exist, recovery is not always successful, especially if those backups are connected to the network and were also encrypted or exfiltrated during the attack. The decision of whether to pay the ransom is a critical one for any victim organization. Authorities universally discourage paying, as there is no guarantee the criminals will provide a functional decryption key, and payment further fuels the criminal enterprise. The specific outcome of the incident, including whether Errebielle paid the ransom or successfully restored its systems from clean backups, was not confirmed at the time of the reporting. The cybersecurity news outlet Red Hot Cyber committed to monitoring the situation for any substantial developments and indicated it would publish a dedicated article if the company provided an official statement.