Cyber Incident Victim: Lubrimetal
Date:
Mar 2023
Location:
Italy
Summary
An Italian chemical company specializing in lubricants and metal treatment products suffered a ransomware attack by the LockBit group, involving data exfiltration and encryption of its IT systems. The attackers issued a 14-day ultimatum for ransom payment under threat of publishing stolen information through their leak site, employing double extortion tactics common to LockBit 3.0 operations. While the ransom amount remained undisclosed, such demands typically correlate with victim revenue and data sensitivity. The incident disrupted operations and exposed potential risks of sensitive information disclosure, though no substantive updates regarding data publication or resolution were confirmed. LockBit's ransomware-as-a-service model enables affiliates to conduct tailored attacks while sharing extortion profits with developers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 13, 2023, the LockBit ransomware group publicly claimed responsibility for a cyberattack targeting Lubrimetal, an Italian chemical manufacturing company specializing in lubricants and surface treatment products for metals. LockBit 3.0, the latest iteration of the ransomware operation at the time, implemented its standard extortion protocol by announcing a 14-day countdown on its data leak site. The group threatened to publish stolen company data on March 28 at 01:36 UTC unless Lubrimetal complied with unspecified ransom demands. The attack followed LockBit's established ransomware-as-a-service (RaaS) model, through which affiliated attackers deploy the malware in exchange for profit-sharing agreements that grant them up to 75% of ransom payments. No financial demand specifics or data samples were disclosed publicly during this phase, differing from some contemporaneous LockBit operations where alternative extortion options—such as payment extensions or data destruction fees—were advertised.
Lubrimetal, founded in 1959 in Lecco, Italy, maintained operations focused on customized chemical solutions for industrial clients, emphasizing technical expertise and environmental responsibility as core corporate values. The ransomware incident directly threatened these operational priorities by compromising sensitive data and potentially disrupting critical systems, though the company did not publicly disclose system downtime or recovery efforts. LockBit's attack leveraged data exfiltration followed by encryption of Lubrimetal's systems—a dual-extortion tactic intended to pressure victims into paying by combining operational disruption with reputational damage risks from leaked proprietary information. As of the initial reporting date, no further updates regarding data publication, payment negotiations, or system restoration were confirmed. The incident underscored LockBit's persistent targeting of Italian organizations across both public and private sectors, employing evolving RaaS strategies that included infrastructure vulnerability rewards, cryptocurrency purchasing systems, and affiliate program enhancements introduced through the LockBit 3.0 platform update.