One of the largest retail chains in Italy, CONAD, has apparently been struck by a attack. The perpetrators? Infamous Lynx ransomware group, known for their sophisticated and 'industrialised' approach to cybercrime.

Who are CONAD?

Founded in Bologna in the 60s, The Cooperativa Nazionale Dettaglianti (anglicised as the "National Retailers' Cooperative") began as a limited liability company representing a small number of businesses who wanted to jointly organise their supply chains. Recognising the pride that Italians have in gastronomic tradition, the focus of this cooperative became clear: corner the market for high-quality traditional cuisine, representing communities both big and small.

This approach led to the expansion of this cooperative into one of Italy's largest chains. With humble beginnings in Bologna, CONAD is now present in all 20 regions of Italy and has close to 4000 locations. The brand has also diversified beyond the food retail market, and operates pharmacies, pet shops, petrol stations and opticians.

However, on the 15th of January, CONAD would release a somber statement.

On 20th November 2024, Consorzio Nazionale Dettaglianti (Conad) Soc. Coop. suffered a cyber attack on its systems[.]

~ CONAD, via Federprivacy

In a statement provided to Federprivacy and subsequently republished many times over, CONAD announce that they were the victims of a cyberattack on its systems.

While customers are right to be concerned by this news, CONAD claim that the attack was, by-and-large, successfully repelled due to the immediate defensive measures taken in response. They also claim that while a small amount of data was obtained by the hackers, this data is "irrelevant" and does not include any sensitive or customer information.

WhiteBlueOcean has reviewed this claim and can confirm that customer data does not appear to have been widely compromised, though a large number of internal files, document scans and a limited amount of data on CONAD employees has been obtained and by the Lynx ransomware group who carried this attack out.

Figure 1: Leakpost concerning CONAD published to Lynx's leaksite (Captured 05/02/2025, edited & redacted.)

A nimble predator

The Lynx cybercrime outfit is a . Borrowing a significant amount of source code from INC ransomware, leading many researchers to speculate that Lynx may be a rebrand and successor to this formerly devastating ransomware, Lynx was first discovered in July 2024 by researchers from Palo Alto Networks. Since then, it has become a dominant force in the realm of cybercrime. 

In May of 2024, INC put its source code up for sale on the . Asking for $300,000 for it, their attacks would continue throughout the summer months before the appearance of Lynx on the scene. Due to the similarity in the source codes of these two ransomware strains, many researchers were led to believe that this may be a simple rebranding: a tactic that ransomware groups adopt in order to shed any stigma that may be attached to their previous name. However, with both Lynx and INC ransomware still active as we go further into 2025, it seems likelier to analysts at WhiteBlueOcean that a separate group was formed around an adapted source code that was purchased from INC themselves.

Lynx has taken a similar approach to the management of their platform as , and critically has had the advantage to learn from all of Lockbit's mistakes. Threat intelligence Group-IB were successfully able to penetrate the group's affiliate portal, shining light on their strategies and workflows. The most notable observation made by Group-IB is of Lynx's positive and holistically supportive approach towards affiliate management. Lynx affiliates are well provided for, given ransomware strains compatible with essentially every operating system and architecture, provided the means to employ and support sub-affiliates, and provided tools for every point in the timeline of the ransomware attack, from infiltration to exfiltration to publication and beyond.

Should Companies be Concerned?

and Italian businesses, it is clear that Lynx and the majority of ransomware groups are not targeting Italy specifically - though Italy does receive a large share of ransomware attacks regardless, this is only Lynx's second attack made against an Italian company in its lifetime.

That being said, should you appear like prey to the ferocious and agile Lynx, then you best have strong defenses prepared.

Ransomware attacks can seemingly come out of nowhere, even within companies who already have stringent security policies in place. Even with no visible gaps in the security framework, human error and even human noncompliance can result in the infiltration of your network. That's why a company needs to do far more than put a password on things - proactivity and rapid response is key. Attacks need to be detected immediately, and quarantined immediately, regardless of your locale.

Lynx has published 44 attacks in 2025 already, but the collective number of published attacks in 2025 is already 647 as of 02/05/2025. and are publishing multiple attacks per day. And that's only what's published - many more are carried out and not published due to the payment of ransom demands, and many many more than that are attempted.

As a company holding any amount of any type of sensitive data, it is your responsibility to make sure that you are aware of the threat landscape and capable of defending yourself. You never know - you may already be in the lynx's claws, you just don't know it yet.

Sources

https://www.darkreading.com/threat-intelligence/lynx-raas-group-industrializes-cybercrime-with-affiliate-operations

https://www.statista.com/topics/8935/conad/#topicOverview

https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/

https://www.federprivacy.org/informazione/societa/attacco-ransomware-a-conad-gli-hacker-chiedono-un-riscatto-per-non-pubblicare-i-dati

https://ransomfeed.it/index.php

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.