Cyber Incident Victim: MWD Digital
Date:
Jul 2022
Location:
Italy
Summary
MWD Digital, an Italian company specializing in digital services, fell victim to a LockBit 3.0 ransomware attack, with the threat actors initiating a countdown for potential data publication on their leak site. The attackers claimed access to sensitive information and highlighted the victim's expertise in data management and digital strategy. LockBit operates under a ransomware-as-a-service model, enabling affiliates to conduct customized attacks while sharing ransom profits, with attackers receiving up to 75% of payments. The incident underscores ransomware's disruptive potential, including data exfiltration threats and operational paralysis, though specific impacts on the organization remain undisclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 21, 2022, the Italian digital services firm MWD Digital, based in Verona, became the latest victim of the LockBit 3.0 ransomware operation. The LockBit cybercrime group publicly claimed responsibility for the attack by listing MWD Digital on its data leak site (DLS), initiating a two-day countdown timer set to expire on July 24 at 04:23 UTC. This timer indicated the deadline before LockBit threatened to publish stolen company data on underground platforms. The group did not initially release samples of the exfiltrated data but displayed a promotional description of MWD Digital’s services copied directly from the company’s materials, including references to its expertise in Data Management, Digital Strategy, Security, Application Development, Hosting, Social Media & Content Management, and Digital Advertising, along with its 15-year operational history. Security researcher Claudio Segala (@sonoclaudio) first documented the incident by sharing a screenshot of LockBit’s DLS announcement on Twitter, bringing the breach to wider attention.
LockBit 3.0 operated under a ransomware-as-a-service (RaaS) model, where affiliates paid to deploy customized attacks and received up to 75% of ransom proceeds, with the remainder going to the ransomware’s developers. The variant used in this attack introduced new capabilities, including extended negotiation countdown timers, mechanisms to destroy exfiltrated data if payment demands were unmet, and functionality allowing attackers to download stolen data during negotiations. While the specific ransom demand, payment status, and exact scope of data exfiltration were not disclosed in LockBit’s initial post, the group’s history suggested significant operational disruption and financial pressure on victims. MWD Digital faced potential exposure of sensitive client and operational data if the countdown expired without resolution. No details regarding MWD’s internal detection methods, containment efforts, or recovery steps were publicly available at the time of reporting. The incident highlighted LockBit’s continued targeting of European organizations and its evolution toward more coercive extortion tactics.