The Cactus Ransomware Gang Attacks TORMAX USA

The Cactus ransomware gang has attacked TORMAX USA. TORMAX USA is the American subsidiary of the TORMAX Group, a global leader in the automatic door systems industry. TORMAX specializes in designing, manufacturing, and installing automatic door solutions for various commercial, industrial, and institutional applications. As a subsidiary of the TORMAX Group, TORMAX USA is responsible for serving the United States market.

The company offers a wide range of automatic door products, including sliding doors, swing doors, revolving doors, and folding doors. These automated entrance systems are designed to enhance accessibility, security, and convenience in various settings, such as retail stores, hospitals, office buildings, airports, and more.

Cactus Ransomware Gang's Attack Details

Cactus posted TORMAX USA to its data leak site on September 7th but provided no further details. Cactus has been in operation since at least March 2023. Cactus has been observed employing known vulnerabilities within VPN appliances to initiate an initial breach. Once gaining entry to the network, Cactus operators engage in activities such as enumerating local and network user accounts and identifying accessible endpoints. They then proceed to generate new user accounts and utilize custom scripts for the automated rollout and activation of the ransomware encryptor through scheduled tasks.

It is noteworthy that the ransomware encryptor utilized by Cactus exhibits a unique characteristic – it necessitates a decryption key for the execution of the binary, likely implemented to evade detection by anti-virus software. This decryption key is concealed within a file containing random text named ntuser.dat, which is loaded through a scheduled task.