Attack alert: lockbit5 targets cadopt.com - FR

Introduction

On December 7, 2025, the French CAD/PLM software publisher cadopt.com joined the list of victims of the Lockbit5 ransomware group. This breach, classified as SIGNAL level according to our XC-Classify protocol, affected an SME with 10 to 50 employees specializing in the management of sensitive industrial technical data and client intellectual property. With a turnover of €2 million, cadopt.com represents a strategic target in the French software sector, where even the smallest data leak can jeopardize years of development and the trust of industrial partners.

This cyberattack comes at a time when malicious actors are increasingly targeting SMEs in the technology sector, which are often less equipped than large companies to deal with ransomware threats. The exposure of technical data and intellectual property in the CAD/PLM industry raises critical questions about the protection of strategic digital assets. Software companies in France must now consider this intrusion a wake-up call, particularly those managing confidential client information.

Analyse détaillée

The incident also highlights the persistence of the Ransomware-as-a-Service (RaaS) model exploited by lockbit5, which allows affiliates to conduct targeted extortion campaigns. This compromise, certified on the Polygon blockchain via our XC-Audit protocol, offers immutable traceability of evidence, unlike traditional centralized verification systems.

lockbit5 is part of a growing group of cybercriminal collectives operating under the Ransomware-as-a-Service (RaaS) model, a structure that democratizes access to digital extortion tools. This group, active in 2025, offers affiliates a turnkey platform including encryption malware, payment infrastructure, and technical support, in exchange for a commission on collected ransoms.

lockbit5's modus operandi relies on double extortion: encrypting the victim's systems and first exfiltrating sensitive data. This tactic maximizes pressure on compromised organizations, which face both business disruption and the threat of confidential information being published. Attackers typically exploit unpatched vulnerabilities, poorly secured RDP access, or targeted phishing campaigns as initial intrusion vectors.

The cybercriminal collective's recent activity demonstrates an opportunistic targeting strategy, affecting both SMEs and larger organizations. The RaaS model allows lockbit5 to multiply its victims without requiring a massive operational infrastructure, as each affiliate conducts its own campaigns according to its technical capabilities. This decentralization significantly complicates attribution and dismantling efforts by authorities.

Previous victims of lockbit5 span diverse geographic and industrial sectors, reflecting the lack of sectoral discrimination characteristic of RaaS operations. The malicious actor prioritizes targets with perceived sufficient payment capacity and exploitable security vulnerabilities, rather than a specific industry. This pragmatic approach maximizes the return on investment for program affiliates.

Founded in 2010, cadopt.com has positioned itself as a publisher specializing in CAD (Computer-Aided Design) and PLM (Product Lifecycle Management) solutions for the industrial sector. With a staff of between 10 and 50 employees, this French SME embodies the dynamism of French technology companies in a highly competitive and technical market.

The organization manages extremely sensitive technical data on behalf of its industrial clients: design plans, 3D models, product specifications, development cycles, and strategic intellectual property. These digital assets often represent years of research and development, with considerable commercial value. The compromise of such information can expose the trade secrets of multiple client companies, creating a potentially devastating domino effect.

With annual revenue of €2 million, cadopt.com operates in a segment where customer trust is the most valuable asset. Industrial companies entrust their most strategic data to their CAD/PLM solution providers, creating a relationship of dependence based on strict security guarantees. This cyberattack therefore risks permanently damaging the reputation of the affected entity with its customers.

Cadopt.com's French operations subject it to European and national regulatory requirements regarding data protection, including the GDPR and potentially the NIS2 directive, depending on the criticality of its clients. The impact of this intrusion extends far beyond the compromised company, potentially affecting its entire ecosystem of industrial partners.

The incident affecting cadopt.com has been classified as SIGNAL level according to our XC-Classify methodology, indicating a confirmed exposure, although the precise extent is still being analyzed. This criticality level signals a proven compromise requiring immediate vigilance, even though the exact volume of exfiltrated data has not yet been publicly quantified by the malicious actor.

The nature of the potentially exposed information is of major strategic importance: CAD design files, PLM models, customer technical data, industrial intellectual property, and potentially contractual or commercial information. In the industrial software solutions sector, these digital assets form the core of the value proposition and competitive differentiation.

Our analysis based on verified data reveals that the attack was discovered on December 7, 2025, but the exact timeline of the initial intrusion remains to be determined. Ransomware compromises typically involve a reconnaissance and exfiltration phase lasting several days to several weeks before the encryption is deployed and the public claim of responsibility is made. The available metadata suggests a methodical operation specifically targeting valuable assets.

The initial attack vector has not been publicly confirmed, but intrusions targeting software vendors frequently exploit vulnerabilities in development infrastructure, inadequately protected VPN access, or spear-phishing campaigns targeting technical teams. The attack surface of a CAD/PLM software vendor also includes connections to customer environments, which can potentially be exploited for lateral movement.

The lack of precise quantified data (volume in gigabytes, number of files) in the initial claim does not diminish the severity of the incident. The SIGNAL level indicates that the evidence of compromise is sufficiently tangible to warrant an immediate response from stakeholders and increased monitoring of potential dissemination channels for the exfiltrated data.

The software industry, particularly the CAD/PLM segment, faces amplified cybersecurity risks due to the very nature of its business. Industrial software vendors simultaneously manage their own intellectual property (source code, algorithms) and that of their customers (designs, technical specifications), creating a concentration of value that is attractive to malicious actors.

In France, this compromise triggers strict legal obligations under the GDPR. cadopt.com must notify the CNIL (French Data Protection Authority) within 72 hours if personal data is involved, and directly inform the affected individuals if the risk is high. Beyond the GDPR, the NIS2 directive, currently being transposed into French law, strengthens cybersecurity requirements for providers of critical digital services, a category that can include industrial solution providers depending on their clientele.

Potential regulatory consequences include administrative penalties of up to 4% of global revenue for GDPR non-compliance, as well as civil lawsuits from clients who believe their data is insufficiently protected. Understanding GDPR obligations in the event of a cyberattack is becoming crucial for any software company handling sensitive information.

Conclusion

This intrusion is part of a series of attacks targeting the French technology sector in 2025, revealing a worrying trend. Technology SMEs are prime targets because they combine high-value assets with often limited security budgets compared to large corporations. → Other incidents in the Software sector shows the scale of the phenomenon.