The double extortion technique: the Campari case

In recent weeks the Campari group has suffered a serious ransomware attack of the so-called “double extortion” technique. The damage would amount to two terabytes of stolen data, with attached the threat to publish it if the company does not pay $15 million.

The attack and the reaction of the company

The ransom was carried out by the Ragnar Locker criminal group that, using the same technique, struck Capcom about a month ago, threatening the publication or auctioning of data. The nature of the information stolen from Campari remains confidential, even if the well-known Italian company has admitted the possibility of a loss – not quantified – of personal data and information related to its business. The attack had also caused a series of disruptions on the network in early November. The criminals claim to be in possession of accounting and financial documents, intellectual property, personal data of customers and employees, including identity data, as well as documents and business contracts of various kinds.

Campari publicly responded to the cyber-attack on November 3rd, identifying the nature of the threat and notifying the data protection authorities, the Postal Police and the US FBI. On the 9th of November, Campari Group announced the restoration and restart of its IT systems, carrying out sanitization activities and the installation of security add-ons, while warning that the company would temporarily suspend some features of its systems in order to fully sanitize them and to re-establish full business operation in the shortest possible time. The attack is part of the sudden increase in cybercrime cases in Italy that began in the second quarter of 2020 that claimed “high-profile” victims such as Enel, Geox and Luxottica (a total of 171 cases compared to 47 recorded in the same period in 2019, registering an increase of 250%!)


The “double extortion” technique and the Ragnar Lockers

The “double extortion” technique is an unpleasant novelty in the cyber universe. It involves encryption, theft and publication threats that make the victims vulnerable on two levels:

  1. Data loss and temporary unavailability of services as a result of encryption. At this level, the damage is similar to that of classic ransomware, including the subsequent ransom note.
  2. Publication of data involving loss of intellectual property. frequently, this information is auctioned off and can end up in the hands of a competitor, making the affected organization’s position more difficult on the market. In addition to being economical, the damage is expressed in terms of image and reputation, causing a possible loss of customers and a reduction in stock exchange value in the event of a listing.

Analysts and observers believe that the organizers of the attack are the Ragnar Locker group, which arose – together with Egregor – on the ashes of Maze, one of the most insidious groups of criminal hackers who recently announced the cessation of their criminal activity. The group is based in Eastern Europe and does not attack computers with a keyboard or system language layout corresponding to that of a country in the former Soviet Union.

Ragnar Locker allegedly participated with his own malware in the Maze attack against Honda last June. The first noteworthy independent attack occurred in mid-April 2020 against Portuguese electricity company Energias de Portugal, resulting in a 10-terabyte leak. Maze therefore revealed itself as a creature halfway between a mythological Hydra and a Phoenix: two distinct and dangerous criminal groups born from the ashes of a severed head.