Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cactus ransomware. Show all posts

Cactus Ransomware Strikes Schneider Electric, Demands Ransom

 


In a recent cyber attack, the Cactus ransomware group claims to have infiltrated Schneider Electric's Sustainability Business division, stealing a substantial 1.5 terabytes of data. The breach, which occurred on January 17th, has raised concerns as the gang now threatens to expose the stolen information if a ransom is not paid.

The ransomware group has already leaked 25MB of allegedly pilfered data on its dark web leak site, showcasing American citizens' passports and scans of non-disclosure agreement documents. Schneider Electric, a French multinational specialising in energy management and automation, is being coerced by the hackers to meet their ransom demand to prevent further leaks.

While the specific nature of the stolen data remains unknown, Schneider Electric's Sustainability Business division provides services related to renewable energy and regulatory compliance for major global companies such as Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart. This implies that the compromised data might include sensitive information about customers' industrial control and automation systems and details regarding environmental and energy regulations compliance.

Cactus ransomware, a relatively new player in the cybercrime landscape, emerged in March 2023, employing double-extortion attacks. The group gains access to corporate networks through various means, including purchased credentials, partnerships with malware distributors, phishing attacks, or exploiting security vulnerabilities.

Once inside a target's network, the hackers navigate through the compromised system, stealing sensitive data to use as leverage in ransom negotiations. Since its inception, Cactus ransomware has targeted over 100 companies, leaking data online or threatening to do so while still engaging in ransom negotiations.

This incident is not the first time Schneider Electric has fallen victim to cyber threats. In the past, the company experienced data theft attacks orchestrated by the Clop ransomware, impacting over 2,700 other organisations. Schneider Electric, with a workforce exceeding 150,000 people globally, reported a substantial $28.5 billion in revenue in 2023.

Both companies and individuals need to stay alert to potential threats. Cybersecurity experts stress the significance of adopting strong security practices, regularly updating computer programs, and ensuring employees are well informed about potential risks. These measures are crucial for minimising the potential fallout from ransomware attacks, underlining the need for a proactive approach to safeguarding digital assets.

The Cactus ransomware attack on Schneider Electric is a stark reminder of the increasing sophistication and frequency of cyber threats in today's digital age. Businesses and individuals must prioritise cybersecurity to safeguard sensitive information and prevent financial and reputational damage.


Twisted Spider's Dangerous CACTUS Ransomware Attack

In a sophisticated cyber campaign, the group Twisted Spider, also recognized as Storm-0216, has joined forces with the cybercriminal faction Storm-1044. Employing a strategic method, they target specific endpoints through the deployment of an initial access trojan known as DanaBot. 

Subsequently, Twisted Spider leverages this initial access to execute the deployment of the CACTUS ransomware. Recent insights from Microsoft Threat Intelligence on X shed light on Storm-0216's tactics. Operating under aliases such as Twisted Spider or UNC2198, this ransomware entity employs an advanced banking Trojan, Danabot. This intricate pairing of cyber threats showcases the evolving and complex nature of Twisted Spider's malicious endeavors. 

Additionally, the security researchers highlighted the adaptive tactics of Storm-0216, which was previously recognized for utilizing QakBot's infrastructure for infections. However, following the dismantling of this operation by law enforcement last summer, the group was compelled to pivot to a different platform. 

The latest Danabot campaign, initially identified in November, indicates a notable shift. Unlike the previous malware-as-a-service model, the group appears to be using a private version of the info-stealing malware. Microsoft explained that DanaBot, known for providing hands-on keyboard activity to its partners, has undergone a transformation in its deployment strategy. 

This shift underscores the group's remarkable adaptability and capacity to evolve tactics, particularly in response to interventions by law enforcement. The ability to navigate and adjust strategies highlights the dynamic nature of cyber threats and the constant cat-and-mouse game between cybercriminals and those working to counteract their activities. 

Let’s Understand the Method of the Attack 

Upon obtaining the essential login credentials, the Storm-1044 group initiates lateral movement across the network and various endpoints through Remote Desktop Protocol (RDP) sign-in attempts. Once the initial access has been secured, the baton is passed to Twisted Spider. Subsequently, Twisted Spider proceeds to compromise the endpoints by introducing the CACTUS ransomware. 

What is CACTUS Ransomware? 

CACTUS is emerging as a preferred option among numerous ransomware operators. Recently, Arctic Wolf researchers cautioned that hackers exploited three vulnerabilities in the Qlik Sense data analytics solution to deploy this specific variant, facilitating the theft of sensitive company data. 

Why it is More Threatening? 

In May, researchers at Kroll made a noteworthy discovery regarding the ransomware's evasion tactics. Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, revealed that CACTUS employs a unique method to bypass cybersecurity measures—it essentially encrypts itself. This self-encryption mechanism enhances its ability to evade detection, posing challenges for antivirus and network monitoring tools, as highlighted by Iacono in discussions with Bleeping Computer.

Cactus: New Ransomware Encrypts Itself to Evade Detection


Cactus, a newly discovered ransomware operation has apparently been exploiting vulnerabilities in VPN appliance vulnerabilities to gain initial access to the networks of "large commercial entities."

Although the new threat actor uses the usual file encryption and data stealing techniques used in ransomware attacks, it encrypts itself to evade detection by antivirus software, making it exceptionally challenging to eliminate.

Encrypted Configuration Twist

According to the cybersecurity experts at Kroll, the Cactus ransomware infiltrates its victims' networks by exploiting security flaws in VPN appliances. The researchers discovered that the hackers used compromised service accounts to access these networks through VPN servers.

The self-encryption attribute of Cactus ransomware is what makes it significant. Cactus operators utilize a batch script and the popular compression tool 7-Zip to obtain the encryptor binary to accomplish thisOnce the binary is extracted, the initial ZIP archive is eliminated, and the binary is executed with a specific parameter, making it challenging for antivirus software to identify the threat.

Kroll investigators further explain that the script is run using three separate switches: -s for initialization, -r for loading a configuration file, and -i for encryption.

Once within the targeted network, the attackers employ an SSH backdoor along with scheduled tasks to maintain their presence while conducting a number of reconnaissance operations, such as pinging remote hosts, identifying endpoints, and locating user accounts.

The Cactus ransomware executes a batch script that disables standard antivirus software in order to cause the most damage. The attackers exfiltrate files from infected PCs to a cloud server before automatically encrypting them with a PowerShell script.

While detailed information regarding the Cactus operation, the victims they target, and if the hackers follow their promise to provide a reliable decryptor if paid are not yet available, applying the most recent vendor software updates, keeping an eye out for significant data exfiltration attempts, and acting fast should guard against the most destructive and final stages of a ransomware attacks.