Cyber Incident Victim: Campari Group

On November 1, 2020, Campari Group experienced a ransomware attack that compromised a significant portion of its global IT infrastructure. The intrusion was promptly detected by the company’s IT department, which immediately engaged cybersecurity experts to contain the malware’s spread. Systems across twenty-four countries were affected, leading Campari to implement a temporary shutdown of IT services to isolate and sanitize infected components. Forensic analysis confirmed the attackers deployed Ragnar Locker ransomware, which encrypted servers and exfiltrated approximately 2 terabytes of unencrypted data. Attackers demanded a $15 million bitcoin ransom, threatening to release stolen files—including bank statements, Social Security numbers in spreadsheets, and confidentiality agreements—if payment was not made. Ragnar Locker operators published screenshots of Campari’s internal network and sensitive documents on their dark web leak site to substantiate their claims and coerce payment.

Campari refused to negotiate with the threat actors, opting instead to restore operations from backups while collaborating with law enforcement. The company prioritized a "progressive restart in safety conditions" to minimize operational disruption, though its websites and email systems remained offline six days post-incident. Campari assured stakeholders the attack would not materially impact financial results, despite the extended IT service suspension. The incident mirrored a broader trend of ransomware campaigns targeting major Italian corporations, including ENEL, Luxottica, Geox, and Carraro, some of which experienced halted operations and employee downtime. Campari’s investigation into the breach continued, focusing on containment and recovery without disclosing specific technical vulnerabilities exploited or long-term remediation timelines.