In September 2023, Liberty Lines, an Italian transportation company, fell victim to a multi-extortion ransomware attack by the LostTrust ransomware group an evolution of the SFile and Mindware families. The attack involved data encryption, exfiltration, and service disruption, with the ransomware terminating critical processes, deleting Volume Shadow Copies, and clearing Windows Event Logs to hinder recovery. Victims received ransom notes threatening public data leaks unless demands ranging from $100,000 to millions were met. The group, linked to the MetaEncryptor gang, listed 53 victims on its leak site, targeting sectors globally, with Italy and the USA most affected. The attack encrypted files with the ‘.losttrustencoded’ extension and left ransom notes named ‘!LostTrustEncoded.txt’.The incident underscores the operational and financial risks of ransomware, as Liberty Lines likely faced service outages, reputational damage, and potential regulatory penalties for data breaches. While the exact scope of compromised data (e.g., customer/employee records) was not detailed, the multi-extortion tactic combining encryption, theft, and public shaming amplifies pressure on victims. The attack also highlights the evolving sophistication of ransomware groups, who exploit vulnerabilities to maximize disruption and profit. SentinelOne’s detection tools identified LostTrust’s malicious behaviors, but the breach serves as a warning for organizations to strengthen defenses against advanced persistent threats (APTs) and ransomware-as-a-service (RaaS) models.
Source: https://hackmanac.com/news/losttrust-ransomware-operation-analysis
TPRM report: https://www.rankiteo.com/company/liberty-lines-s.p.a.
"id": "lib543092125",
"linkid": "liberty-lines-s.p.a.",
"type": "Ransomware",
"date": "1/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'transportation (likely public transit)',
'location': 'Italy',
'name': 'Liberty Lines',
'type': 'company'}],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2023-09',
'date_publicly_disclosed': '2023-09',
'description': 'In September 2023, the LostTrust ransomware group, an '
'evolution of the SFile and Mindware ransomware families, '
'launched a multi-extortion attack on Liberty Lines in Italy. '
'The ransomware, which shares similarities with MetaEncryptor, '
'terminates critical services and processes to facilitate '
'encryption and data exfiltration, removes Volume Shadow '
'Copies, and clears Windows Event Logs. Victims receive ransom '
'notes portraying the attackers as security specialists, '
'threatening to publicize stolen data if the ransom is not '
'paid. The LostTrust leaks site listed 53 victims at the time '
'of writing. The group, believed to be a rebrand of the '
'MetaEncryptor gang, has targeted various sectors, with the '
'USA and Italy being the most affected. The ransomware appends '
"the '.losttrustencoded' extension to encrypted files and "
"generates ransom notes named '!LostTrustEncoded.txt'. Ransom "
'demands range from $100,000 to several million dollars.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'operational_impact': True,
'systems_affected': True},
'investigation_status': 'publicly disclosed (limited details on resolution)',
'lessons_learned': 'The attack highlights the ongoing threat posed by '
'ransomware groups (especially rebranded or evolved '
'strains) and the critical need for robust cybersecurity '
'measures, including advanced detection platforms like '
"SentinelOne's Singularity.",
'motivation': 'financial gain (ransom demands ranging from $100,000 to '
'several million dollars)',
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$100,000 to several million dollars',
'ransomware_strain': 'LostTrust (evolution of SFile and '
'Mindware, rebrand of MetaEncryptor)'},
'recommendations': ['Implement advanced endpoint detection and response (EDR) '
'solutions to detect and prevent ransomware behaviors '
'(e.g., process termination, Volume Shadow Copy deletion, '
'log clearing).',
'Regularly back up critical data and store backups '
'offline or in immutable storage to mitigate ransomware '
'impact.',
'Enhance employee training on phishing and social '
'engineering to prevent initial access by threat actors.',
'Monitor dark web and ransomware leak sites for early '
'signs of data exfiltration or breaches.',
'Adopt a zero-trust security model to limit lateral '
'movement by attackers.'],
'references': [{'source': 'SentinelOne (analysis of LostTrust ransomware)'}],
'response': {'third_party_assistance': ["SentinelOne's Singularity platform "
'(detection and prevention)']},
'threat_actor': 'LostTrust ransomware group (evolution of SFile and Mindware, '
'rebrand of MetaEncryptor)',
'title': 'LostTrust Ransomware Attack on Liberty Lines (Italy)',
'type': ['ransomware', 'multi-extortion attack', 'data exfiltration']}