Cyber Incident Victim: Trigano
Date:
Feb 2021
Location:
France
Summary
Trigano, a manufacturer of recreational vehicles and camping equipment, suffered a ransomware attack attributed to the Sodinokibi (REvil) group, which disrupted computer systems and forced the shutdown of its Tournon-sur-Rhône production facility. The incident halted operations, preventing access to critical IT infrastructure, and resulted in a $2 million ransom demand from the threat actors. At the time of reporting, the company had not disclosed whether negotiations occurred, and its data had not appeared on any known ransomware leak sites.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 9, 2021, Trigano, a manufacturer of caravans, motorhomes, camping furniture, and mobile homes, experienced a cyberattack that disrupted its operations. The attack involved ransomware, which prevented access to the company’s computer systems. By February 12, the disruption had forced the complete shutdown of Trigano’s Tournon-sur-Rhône plant in Ardèche, France, halting production at the facility. The company publicly acknowledged the ransomware incident but initially declined to disclose the specific variant involved or whether it was engaged in negotiations with the threat actors. At the time of initial reporting, no ransomware group had listed Trigano on a dedicated leak site, suggesting no confirmed data exfiltration or public extortion demands had yet materialized.
An update on February 13 revealed that the Sodinokibi (REvil) ransomware group was responsible for the attack and had demanded a $2 million ransom. The operational impact of the attack remained concentrated at the Tournon-sur-Rhône plant, where the inability to access computer systems sustained the production standstill. Trigano did not release additional details regarding containment measures, recovery progress, or whether other facilities were affected. The company’s public statements were limited to confirming the ransomware incident and the resulting operational disruption, with no elaboration on incident response timelines, data compromise, or restoration efforts. The attack underscored the immediate physical consequences of ransomware, as critical manufacturing infrastructure was idled for multiple days following the initial compromise.