Cactus attacks Medi-Market
Date:
November 28, 2023
Overview
Title
Cactus attacks Medi-Market
Victim
Medi-Market
Attacker
Cactus
Location
Size of Attack
Unknown/TBD
First Reported
November 28, 2023
Last Updated
October 31, 2022
Cactus ransomware group claimed responsibility for an attack against Medi-Market. No further information was made available. Medi-Market is a new chain of pharmacies and parapharmacies in Belgium. Their innovative concept offers customers personalized advice from specialists and a wide range of products in the health care, natural medicine, cosmetics, nutrition and baby care sectors. Cactus has been in operation since at least March 2023. Cactus has been observed employing known vulnerabilities within VPN appliances to initiate an initial breach. Once gaining entry to the network, Cactus operators engage in activities such as enumerating local and network user accounts and identifying accessible endpoints. They then proceed to generate new user accounts and utilize custom scripts for the automated rollout and activation of the ransomware encryptor through scheduled tasks. It is noteworthy that the ransomware encryptor utilized by Cactus exhibits a unique characteristic – it necessitates a decryption key for the execution of the binary, likely implemented to evade detection by anti-virus software. This decryption key is concealed within a file containing random text named ntuser.dat, which is loaded through a scheduled task.
This attack's description was not found, while we work on the detailed account of this attack we invite you to browse through other recent Rasomware Attacks in the table below.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.