{
	"id": "d288f657-c7b5-4bf6-bf0f-22a23203e75b",
	"created_at": "2026-04-06T00:11:25.230496Z",
	"updated_at": "2026-04-10T03:20:32.261027Z",
	"deleted_at": null,
	"sha1_hash": "9854d9c81e88571202aaf185b6d47d700f4e6f78",
	"title": "Campari hit by Ragnar Locker Ransomware, $15 million demanded",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4235460,
	"plain_text": "Campari hit by Ragnar Locker Ransomware, $15 million demanded\r\nBy Lawrence Abrams\r\nPublished: 2020-11-05 · Archived: 2026-04-05 15:48:59 UTC\r\nItalian liquor company Campari Group was hit by a Ragnar Locker ransomware attack, where 2 TB of unencrypted files was\r\nallegedly stolen. To recover their files, Ragnar Locker is demanding $15 million.\r\nCampari Group is an Italian beverage company known for its popular liquor brands, including Campari, Frangelico, SKYY\r\nvodka, Epsolon, Wild Turkey, and Grand Marnier.\r\nAs first reported by ZDNet, Campari released a press statement on Monday where they stated they suffered a cyberattack\r\nover the weekend, which caused them to shut down their IT services and network.\r\nhttps://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Campari Group informs that, presumably on 1 November 2020, it was the subject of a malware attack (computer virus),\r\nwhich was promptly identified. The Group's IT department, with the support of IT security experts, immediately took action\r\nto limit the spread of malware in data and systems. Therefore, the company has implemented a temporary suspension of IT\r\nservices, as some systems have been isolated in order to allow their sanitization and progressive restart in safety conditions\r\nfor a timely restoration of ordinary operations,\" Campari said in a statement.\r\nDue to this attack, the web sites for Campari and Campari Group are currently down.\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal\r\nat +16469613731 or on Wire at @lawrenceabrams-bc.\r\nRagnar Locker claims to have stolen 2 TB of data\r\nIn a Ragnar Locker sample discovered today by security researcher Pancak3 and installed by BleepingComputer, the ransom\r\nnote clearly shows that it was used in the attack against Campari Group.\r\nRagnar Locker ransom note for Campari\r\nSource: BleepingComputer\r\nIn the ransom note, the Ragnar Locker group claims to have stolen 2 TB of unencrypted files during the attack, including\r\nbanking statements, documents, contractual agreements, emails, and more.\r\n  We have BREACHED your security perimeter and get access to every server of company's Network in different countries\r\nacross all your international offices. \r\nSo we has DOWNLOADED more than 2TB total volume of your PRIVATE SENSITIVE Data, including: \r\n-Accounting files, Banking Statements, Government letters, Licensing certificates\r\n-Confidential and/or Proprietary Business information, Celebrity Agreements, Clients and Employees Personal information\r\n(including Social Security Numbers, Addresses, Phone numbers and etc.) \r\n-Corporate Agreements and Contracts with distributors, importers, retailers, Non-Disclosure Agreements \r\n-Also we have your Private Corporate Correspondence, Emails and Workbooks, Marketing presentations, Audit reports and\r\na lot of other Sensitive Information \r\nhttps://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/\r\nPage 3 of 5\n\nAs proof that they stole data, the ransom note contains eight URLs to screenshots of some of the stolen data. These\r\nscreenshots are for sensitive documents, such as bank statements, a UK passport, employee U.S. W-4 tax forms, a\r\nspreadsheet containing SSNs, and a confidentiality agreement.\r\nA spreadsheet containing employee's SSN numbers\r\nRedacted by BleepingComputer\r\nPancak3 told BleepingComputer that Ragnar Locker claims to have encrypted most of Campari Group's servers from\r\ntwenty-four countries and are demanding $15,000,000 in bitcoins for a decryptor.\r\nThis price also includes a promise to delete data from their file servers and not publish or share the data, as well as a\r\nnetwork penetration report and recommendations to improve security.\r\nIt should be noted that ransomware negotiation service Coveware has found that ransomware operations are increasingly not\r\nkeeping their promise to delete stolen data after a ransom is paid.\r\nRagnar Locker has been involved in other large attacks this year, including ones on Portuguese multinational energy giant\r\nEnergias de Portugal (EDP) and French maritime transport and logistics company CMA CGM.\r\nBleeping Computer has contacted Campari Group with questions related to this attack but has not heard back.\r\nhttps://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/\r\nhttps://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/"
	],
	"report_names": [
		"campari-hit-by-ragnar-locker-ransomware-15-million-demanded"
	],
	"threat_actors": [],
	"ts_created_at": 1775434285,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9854d9c81e88571202aaf185b6d47d700f4e6f78.pdf",
		"text": "https://archive.orkl.eu/9854d9c81e88571202aaf185b6d47d700f4e6f78.txt",
		"img": "https://archive.orkl.eu/9854d9c81e88571202aaf185b6d47d700f4e6f78.jpg"
	}
}