Cyber Incident Victim: Belletti Ascensori
Date:
Oct 2022
Location:
Italy
Summary
Belletti Ascensori, an Italian elevator and lift manufacturer with a multi-generational history and approximately 30 employees, fell victim to a LockBit 3.0 ransomware attack. The threat actors deviated from their typical tactics by omitting sample leaks or countdown delays, instead publishing a detailed company profile on their data leak site highlighting the organization's operational legacy and trusted external collaborators. LockBit, operating under a ransomware-as-a-service model, has previously targeted numerous Italian public and private entities, including municipal governments and tourism agencies. The incident exposed sensitive organizational details but did not disclose specific operational disruptions or data exfiltration claims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 30, 2022, Italian elevator and lift manufacturer Belletti Ascensori suffered a ransomware attack attributed to the LockBit 3.0 criminal group. The attackers compromised the company's systems and subsequently published a message on LockBit's dedicated data leak site (DLS) instead of following their standard protocol of releasing stolen samples or offering countdown extensions for ransom negotiations. The published message contained a detailed description of Belletti Ascensori's corporate history, emphasizing its century-long operations since the 1900s, its workforce of thirty direct employees, and its network of trusted external collaborators. LockBit highlighted the company's technological modernization and market leadership position, framing the attack within the context of Belletti's generational legacy in industrial elevator manufacturing. No operational disruptions or specific compromised systems were disclosed in the available information. At the time of reporting, Belletti Ascensori had not issued an official public statement regarding the incident, though cybersecurity monitoring groups were actively tracking developments.
The LockBit ransomware operation, functioning under a ransomware-as-a-service (RaaS) model, had previously targeted multiple Italian organizations across both public and private sectors prior to the Belletti Ascensori intrusion. Documented public sector victims included ASP Messina, the municipalities of Villafranca, Gonzaga, and Gorizia, the National Tourism Agency, and ULSS6 Padova's healthcare network. LockBit's attack methodology typically involves data exfiltration followed by extortion threats to publish stolen information unless ransom demands are met. In this incident, the absence of standard countdown timers or sample releases represented a deviation from the group's usual tactics, though the fundamental objective of coercing payment through reputational and operational pressure remained consistent. The publication of corporate background details suggested strategic emphasis on exploiting Belletti's established market reputation as leverage. Cybersecurity analysts noted the incident as part of LockBit's continued focus on Italian targets but lacked confirmation regarding data volumes compromised, financial impacts, or remediation efforts undertaken by Belletti Ascensori.