Introduction

Article: How Lockbit5 Compromised topackt.com, Manufacturing in France

On December 5, 2025, the Lockbit5 ransomware group claimed responsibility for a cyberattack against topackt.com, a French company specializing in industrial packaging. This company, with 50 to 100 employees, founded in 1995 and generating €15 million in revenue, found itself exposed on the cybercriminal collective's leaked website. The incident, classified at SIGNAL level according to our XC-Classify protocol, occurred amidst a surge in attacks against the French manufacturing sector. Data certified on the Polygon blockchain revealed a compromise affecting B2B customer information, logistics data, and sensitive production processes. This attack illustrates the persistent vulnerability of mid-sized companies to Ransomware-as-a-Service (RaaS) models.

Analyse détaillée

The targeted organization, active for nearly 30 years in the packaging industry, manages critical information for its operations on a daily basis: professional customer files, inventory data, logistics information, and proprietary industrial processes. The compromise of these digital assets represents a major risk to both business continuity and the confidentiality of B2B commercial relationships. The incident highlights the cybersecurity challenges faced by French manufacturing SMEs, which are often less equipped than large corporations to deal with sophisticated ransomware threats.

The SIGNAL level assigned by our assessment system indicates a confirmed threat requiring heightened vigilance. This classification reflects the nature of the potentially exposed data and the estimated impact on the French industrial ecosystem. Partner companies of topackt.com, particularly in the food, pharmaceutical, and cosmetics sectors, must remain alert to potential attempts to exploit the compromised information for chain attacks.

LockBit5: How it Works, History, and Victims of the Ransomware Group

LockBit5 is a ransomware group operating under the Ransomware-as-a-Service (RaaS) model, a structure that allows affiliates to rent malicious infrastructure in exchange for a share of the profits. This cybercriminal collective is part of the evolving LockBit ecosystem, one of the most prolific and resilient ransomware franchises of recent years. Despite international takedown operations conducted in 2024 against previous versions, the group has demonstrated a remarkable ability to regenerate and adapt its tactics.

The malicious actor's modus operandi relies on several proven technical pillars. The initial intrusion is generally carried out by exploiting unpatched vulnerabilities in systems exposed to the internet, targeted phishing, or the compromise of remote access credentials (RDP, VPN). Once the initial entry point is established, the attackers deploy reconnaissance tools to map the internal network, identify critical assets, and locate backups. The persistence phase involves installing backdoors and escalating privileges to ensure continued access even in the event of partial detection.

The double extortion strategy is the collective's signature: before data encryption, sensitive files are exfiltrated to servers controlled by the attackers. This approach maximizes pressure on victims by threatening to publish the stolen information on a dedicated leak site, even if the compromised organization has functional backups. The encryption itself is executed quickly thanks to optimized algorithms, making recovery without a decryption key technically impossible in most cases.

The group's previous victims span a diverse range of industries and geographies, with a predilection for mid-sized organizations with critical digital assets but limited cybersecurity budgets. The manufacturing sector is among the prime targets due to its reliance on industrial systems and the immediate operational impact of any disruption. The RaaS model allows the group to launch multiple simultaneous attacks through autonomous affiliates, making precise attribution and disruption complex for regulatory authorities.

topackt.com: Company Profile - Manufacturing (50-100 employees) - FR

topackt.com has been operating in the highly competitive industrial packaging sector in France since 1995. This mid-sized company, employing between 50 and 100 people, generates an estimated annual revenue of €15 million. Its positioning in the industrial packaging market leads it to work with demanding B2B clients, particularly in the food, pharmaceutical, and cosmetics industries, where traceability and regulatory compliance are paramount.

The company manages significant volumes of sensitive data related to its operations on a daily basis: professional customer files containing contractual and commercial information, real-time inventory data, detailed logistics information on the flow of goods, and proprietary production processes developed over its three decades of activity. These digital assets form the core of its competitive advantage and its ability to meet the stringent requirements of its clients.

The organization's location in France subjects it to European and national regulations regarding data protection and cybersecurity. Its packaging activity for regulated sectors potentially involves the processing of personal data (client employees, end recipients) and confidential business information. The compromise of this information could lead to contractual consequences with its business partners, a loss of market trust, and significant regulatory impacts.

The importance of topackt.com within its industrial ecosystem extends beyond its apparent size. As a link in critical supply chains, particularly in the food and pharmaceutical sectors, its compromise could create cascading disruptions for its clients. Information on production processes and technical packaging specifications is also valuable to competitors or malicious actors seeking to understand industry standards. This strategic position explains the ransomware group's potential interest in this target.

Technical Analysis: Exposure Level

The SIGNAL classification assigned to this incident by our XC-Classify system indicates a confirmed threat requiring special attention. This level, distinct from MINIMAL, PARTIAL, or FULL classifications, signals a verified claim on the ransomware group's official channels, without immediate public details on the exact volume of exfiltrated data. The lack of granular details does not diminish the severity of the situation for the affected entity.

The nature of the potentially exposed data, according to topackt.com's operational profile, encompasses several critical categories. The B2B customer files likely include commercial contracts, order histories, billing information, and business contact details. The inventory data reveals volumes processed, product references, and potentially profit margins. Logistics information exposes the flow of goods, transport partners, and delivery times. Production processes constitute the company's intellectual capital, including packaging recipes, machine parameters, and quality procedures.

The likely modus operandi follows the classic pattern observed in Lockbit 5 attacks. The initial intrusion may have exploited an unpatched vulnerability in internet-exposed systems, compromised remote access credentials, or been part of a targeted phishing campaign against employees. The internal reconnaissance phase allowed attackers to identify file servers, databases, and backup systems. The exfiltration of sensitive data preceded the ransomware deployment to maximize pressure during the ransom demand.

Conclusion

The incident timeline, with public discovery on December 5, 2025, suggests a compromise likely occurring several days or even weeks earlier. Sophisticated ransomware groups typically maintain a low profile within compromised networks to maximize data exfiltration before encryption. The publication on the leaked website occurs after negotiations have failed or a deadline imposed by the attackers has expired. Data certified via our blockchain protocol allows for precise tracking of the chronology of the public claim.