Full Report
A titan of Italy’s textile industry, which serves brands such as H&M, Adidas, Calzedonia, and Wolford, has been claimed as the victim of a ransomware attack. RansomHouse, a cybercriminal gang behind the alleged ransomware attack, has listed Fulgar as a victim on its leak site on the dark web. The attackers’ post went live on…
Analysis Summary
# Incident Report: Ransomware Attack on Fulgar
## Executive Summary
The Italian textile industry titan, Fulgar, serving major brands like H&M and Adidas, was compromised in a ransomware attack attributed to the RansomHouse cybercriminal group. The group claimed the attack, which involved data encryption, and listed the company on its dark web leak site following data exfiltration. The public exposure occurred on November 12th, though the attackers claim unauthorized access and encryption dated back to October 31st.
## Incident Details
- Discovery Date: November 12, 2025 (Date of public listing/discovery via dark web monitoring)
- Incident Date: Attack activity likely commencing on or before October 31, 2025.
- Affected Organization: Fulgar (Italian textile industry titan)
- Sector: Manufacturing/Textile Supply Chain
- Geography: Italy
## Timeline of Events
### Initial Access
- Date/Time: On or before October 31, 2025 (Date when attackers claim to have been "sitting on encrypted data").
- Vector: Not explicitly stated in the summary provided.
- Details: Attackers gained access and began encrypting data.
### Lateral Movement
- Date/Time: Between October 31 and November 12, 2025.
- Details: The presence of encrypted data implies successful lateral movement following initial access to deploy ransomware.
### Data Exfiltration/Impact
- Date/Time: Prior to November 12, 2025.
- Details: The threat actor confirmed possession of encrypted data, strongly indicating data exfiltration prior to or during the encryption phase, as is standard for modern ransomware groups like RansomHouse.
### Detection & Response
- Date/Time: November 12, 2025 (Public confirmation via RansomHouse leak site post).
- Details: The incident became known publicly when RansomHouse posted Fulgar to its leak site. Response actions are not detailed in the provided text.
## Attack Methodology
*Note: Specific TTPs are not detailed in the source; this section reflects the assumed methodology based on the "Ransomware Attack" classification by RansomHouse.*
- Initial Access: Unknown (Likely phishing, exploitation of unpatched vulnerability, or compromised credentials).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Assumed to have occurred to deploy encryption across the network.
- Collection: Assumed data collection/exfiltration occurred prior to encryption.
- Exfiltration: Confirmed data theft ("sitting on encrypted data").
- Impact: Data encryption and extortion attempt (Ransomware execution).
## Impact Assessment
- Financial: Unknown (Presumably significant due to the nature of the attack and ransom demands).
- Data Breach: Sensitive/proprietary data related to operations and potentially client information (H&M, Adidas supply chain data) was accessed and stolen. Volume is unknown.
- Operational: Significant disruption suspected due to system encryption across the supply chain operations.
- Reputational: High, as they are a key supplier to globally recognized brands (H&M, Adidas, Calzedonia, Wolford).
## Indicators of Compromise
- Network indicators: None provided.
- File indicators: None provided.
- Behavioral indicators: Deployment of ransomware leading to data encryption; listing on the RansomHouse dark web leak site.
## Response Actions
- Containment measures: Not detailed in the public summary.
- Eradication steps: Not detailed in the public summary.
- Recovery actions: Not detailed in the public summary.
## Lessons Learned
- Resilience Gaps: A significant gap existed allowing unauthorized access lasting at least 12 days (October 31 to November 12) before detection or public disclosure.
- Supply Chain Risk: Attack on a critical manufacturing supplier impacts major international consumer brands, highlighting third-party risk exposure.
## Recommendations
- Strengthen perimeter defenses to prevent initial access via unknown vectors.
- Implement rigorous network segmentation to limit lateral movement impact.
- Enhance monitoring capabilities for long-term, low-and-slow data staging and exfiltration activity, especially outside of standard business hours.
- Review and test incident response and business continuity plans focused on ransomware scenarios.