Cyber Incident Victim: CMC Ravenna
Date:
Oct 2020
Location:
Italy
Summary
CMC in Ravenna was compromised by NetWalker ransomware, prompting an intensive restoration effort involving a team of 20 engineers working continuously for four days to fully recover the cooperative's network. The organization refused to pay the unspecified ransom demand, which was anticipated to align with NetWalker's typical multimillion-dollar extortion amounts. The incident had not yet been publicly listed on the ransomware group's dedicated leak site at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 26, 2020, the Cooperative Muratori e Cementisti (CMC) in Ravenna, Italy, experienced a ransomware attack attributed to the NetWalker group. The attack compromised the cooperative’s network infrastructure, disrupting operations and necessitating immediate remediation efforts. A response team of 20 engineers from Itway, an Italian IT services company, was deployed to restore systems. These engineers worked continuously for four days to achieve full network recovery, indicating significant operational disruption during this period. CMC management publicly stated they would not comply with the attackers’ ransom demand, adhering to a no-payment policy despite the severity of the incident. While the exact ransom figure was not disclosed in public reports, the article noted that NetWalker typically demanded millions of dollars in comparable attacks, suggesting the financial stakes were substantial. The attackers had not yet listed CMC Ravenna on their dedicated leak site at the time of reporting, leaving uncertainty regarding potential data exfiltration or future publication of stolen information.
The incident caused prolonged operational downtime, with restoration efforts spanning multiple days and requiring intensive technical intervention. The engagement of Itway’s specialized engineers underscored the complexity of neutralizing the ransomware’s impact and restoring critical systems. NetWalker’s established modus operandi—combining encryption with data theft threats—raised concerns about potential exposure of sensitive cooperative data, though no evidence of actual data leakage was confirmed in the initial report. CMC’s refusal to negotiate with the threat actors eliminated the possibility of a swift decryption key exchange, opting instead for a resource-intensive recovery process. The absence of the incident on NetWalker’s leak site by October 26 left unresolved whether the attackers would escalate pressure by publishing data or if the delay reflected tactical considerations. Financial implications included both the direct costs of emergency response and potential indirect losses from operational paralysis, contrasting with the unreported but presumably high ransom demand.