Cactus attacks Foroni SPA

Incident Date:

September 5, 2023

World map



Cactus attacks Foroni SPA


Foroni SPA




Gorla Minore, Italy

Lombardy, Italy

First Reported

September 5, 2023

The Cactus Ransomware Gang's Attack on Foroni SPA

The Cactus ransomware gang has attacked Foroni SPA. Foroni SPA is an Italian company that specializes in the production of stationery and paper products. It is primarily known for manufacturing and distributing various paper-based items such as notebooks, notepads, diaries, folders, and other office and school supplies. Foroni has been in the stationery business for several decades and has established itself as a prominent brand in this industry.

Foroni SPA is a nickel-based and specialty alloy manufacturer headquartered in Gorla Minore, Italy. Cactus posted Foroni SPA to its data leak site on September 5th but provided no further details. Cactus has been in operation since at least March 2023.

Method of Attack

Cactus has been observed employing known vulnerabilities within VPN appliances to initiate an initial breach. Once gaining entry to the network, Cactus operators engage in activities such as enumerating local and network user accounts and identifying accessible endpoints. They then proceed to generate new user accounts and utilize custom scripts for the automated rollout and activation of the ransomware encryptor through scheduled tasks.

Unique Characteristics of the Ransomware

It is noteworthy that the ransomware encryptor utilized by Cactus exhibits a unique characteristic – it necessitates a decryption key for the execution of the binary, likely implemented to evade detection by anti-virus software. This decryption key is concealed within a file containing random text named ntuser.dat, which is loaded through a scheduled task.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.