Cyber Incident Victim: FAAC Group
Date:
Jul 2022
Location:
Italy
Summary
FAAC Group, an Italian multinational specializing in access automation systems, fell victim to a LockBit 3.0 ransomware attack compromising its IT infrastructure. The attackers exfiltrated 25.4 GB of confidential data including operational procedures, employee records, customer files, and proprietary project details, threatening public release unless demands were met. Ransom options included $554,000 for data deletion or $5,000 daily extensions to the publication deadline. LockBit encouraged affected customers to pursue legal action against the company for alleged confidentiality failures. The incident highlighted the gang's ransomware-as-a-service model, employing double extortion tactics to pressure victims into payments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 4, 2022, the LockBit 3.0 ransomware gang publicly claimed responsibility for infiltrating the IT infrastructure of FAAC Group, an Italian multinational specializing in access automation systems. The attackers initiated a 13-day countdown to July 13, 2022, at 20:59 UTC, threatening to publish 25.4 GB of exfiltrated data unless demands were met. They offered two payment options: $554,000 in cryptocurrency for complete data deletion or $5,000 per day to extend the publication deadline. The compromised data included confidential operational documents, employee records, logistics files, customer information, and proprietary project implementation details. LockBit specifically encouraged affected customers to pursue legal action against FAAC for alleged negligence in safeguarding confidential data. FAAC Group, founded in 1965, operated 32 commercial entities across 24 countries with 18 production sites and over 2,400 employees, making this a significant multinational incident. The attackers utilized LockBit 3.0's updated extortion model, which introduced monetization features beyond traditional ransomware encryption, including countdown extensions and exclusive data access purchases. No information was provided regarding FAAC's operational disruptions, containment efforts, or whether ransom payments were made.
LockBit 3.0 represented an evolution of the ransomware-as-a-service operation, having rebranded from earlier iterations known as ABCD (2019) and LockBit 2.0 (2021). The group operated on an affiliate model where attackers received up to 75% of ransom proceeds, incentivizing targeted attacks against organizations. This incident marked LockBit 3.0's first publicly confirmed Italian victim since the variant's release. The gang's data leak site contained extensive corporate profiling of FAAC, including its estimated €34.8 million revenue, French headquarters address, and business unit descriptions covering gate automation, parking technology, and access control systems. Potential impacts included reputational damage from customer data exposure, legal liabilities from breached confidentiality obligations, and operational risks from the theft of proprietary technical documentation. The absence of disclosed decryption demands suggested LockBit 3.0 may have focused primarily on data exfiltration extortion rather than system encryption in this case. Historical analysis linked LockBit's behavior to the LockerGoga and MegaCortex malware families, noting self-propagation capabilities within networks post-execution.