Studio Più: LockBit 5.0 Ransomware Attack

On April 22, 2026, the LockBit 5.0 ransomware group publicly claimed responsibility for a cyberattack against Studio Più (studiopiu.net), a well-known Italian media company headquartered near Lake Garda in Desenzano. The group has added the victim to its leak site and is threatening to publish sensitive exfiltrated data unless its extortion demands are met.

What Happened

LockBit 5.0 listed Studio Più on its dark web leak portal on April 22, 2026, accompanied by a taunting Italian-language statement referencing the broadcaster's heritage in the Italian dance radio scene: "Di fronte al Lago di Garda, a Desenzano, batte uno dei cuori storici della radiofonia dance italiana." The post follows the standard LockBit playbook of double extortion, where attackers encrypt victim systems and simultaneously threaten to publish stolen data if payment is not received within a defined countdown window. As of disclosure, Studio Più has not issued a public statement confirming the breach scope or its response posture.

What Was Taken

LockBit 5.0 has not yet released proof-of-data samples publicly, but based on the group's historical operating pattern, the exfiltrated dataset likely includes a mix of internal business records, employee personally identifiable information (PII), payroll documentation, contractual agreements with talent and advertisers, financial records, and potentially proprietary broadcast assets or unreleased media content. As an Italian-regulated media entity, any leak is likely to also include data subject to GDPR protections, raising the stakes considerably for the victim and any third parties whose data may be entangled in the breach.

Why It Matters

The Studio Più incident reinforces three concerning trends. First, LockBit 5.0 continues to demonstrate operational resilience despite Operation Cronos disruption efforts against earlier LockBit infrastructure, signalling that affiliate recruitment and tooling have successfully migrated to the new variant. Second, mid-sized regional media companies remain a soft underbelly for ransomware crews because they hold high-value journalistic and commercial data but typically lack the security maturity of larger broadcasters. Third, Italian organizations have seen a notable uptick in ransomware listings throughout Q1 and early Q2 2026, suggesting affiliates are actively prospecting Italian-language targets where regulatory pressure and reputational sensitivity may motivate faster ransom payment.

The Attack Technique

The specific initial access vector for the Studio Più intrusion has not been publicly disclosed. However, LockBit 5.0 affiliates are known to gain entry through a recurring set of techniques: exploitation of unpatched edge devices and VPN appliances, abuse of valid credentials harvested from infostealer logs traded on dark web marketplaces, phishing campaigns delivering loaders such as SocGholish or Latrodectus, and exploitation of exposed RDP services. Once inside, affiliates typically perform Active Directory reconnaissance, deploy Cobalt Strike or Sliver beacons for lateral movement, disable endpoint defences, exfiltrate data via Rclone or MEGA, and finally detonate the LockBit 5.0 encryptor across domain-joined hosts.

What Organizations Should Do

Hunt proactively for known LockBit 5.0 indicators across endpoint and network telemetry, including Rclone usage, suspicious PowerShell encoded commands, and unauthorised use of administrative tooling such as PsExec and AnyDesk.
Audit external attack surface exposure, prioritising patching of edge VPN, firewall, and remote access appliances that LockBit affiliates routinely exploit for initial access.
Validate offline, immutable backup integrity and rehearse a full restore from cold storage to confirm recovery time objectives are achievable under encryption-event conditions.
Enforce phishing-resistant multi-factor authentication on all remote access, email, and privileged accounts, and rotate credentials known to appear in commercial infostealer log feeds.
Segment broadcast production networks from corporate IT environments to limit blast radius and prevent attackers from pivoting from business systems into operational media infrastructure.
Engage qualified incident response counsel and forensic specialists before any communication with the threat actor, and coordinate with the Italian national CSIRT (CSIRT Italia) and relevant data protection authorities to meet GDPR breach notification timelines.

Sources: LockBit 5.0 Targets Italian Media Company Studio Più - DeXpose