Cactus Group Ransomware Attack on IsoMetrix: 126GB Data Breach & $45.8M Ransom
Incident Date:
July 17, 2024
Overview
Title
Cactus Group Ransomware Attack on IsoMetrix: 126GB Data Breach & $45.8M Ransom
Victim
IsoMetrix
Attacker
Cactus
Location
First Reported
July 17, 2024
Ransomware Attack on IsoMetrix by Cactus Group
Overview of IsoMetrix
IsoMetrix, a leading developer of integrated risk management software, specializes in Environmental, Health, and Safety (EHS) management, as well as Environmental, Social, and Governance (ESG) reporting. Established over 25 years ago, the company has built a reputation for helping organizations manage their risks effectively while enhancing safety and sustainability performance. Headquartered in Johannesburg, South Africa, IsoMetrix has a global presence with offices in the USA, Canada, the UK, Australia, and South Africa, employing approximately 70 people.
Details of the Attack
On July 18, 2024, IsoMetrix fell victim to a ransomware attack orchestrated by the Cactus group. The breach resulted in the exfiltration of 126GB of data. Despite the significant volume of data compromised, less than 1% has been disclosed publicly. The attackers are demanding a ransom of $45.8 million to prevent further data exposure and to restore access to the affected systems. IsoMetrix is currently assessing the full impact of the attack and working on mitigation strategies to secure their infrastructure.
About the Cactus Ransomware Group
The Cactus ransomware group, first discovered in March 2023, operates as a ransomware-as-a-service (RaaS) and is known for exploiting vulnerabilities and leveraging malvertising lures for targeted attacks. The group has been observed exploiting the ZeroLogon vulnerability, tracked as CVE-2020-1472, which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations of all sizes across various industries.
Penetration and Techniques
Cactus ransomware employs unique encryption techniques to avoid detection, using a batch script to obtain the encryptor binary using 7-Zip and then deploying the encryptor binary with an execution flag and removing the original ZIP archive. The group’s attacks have been observed to create multiple accounts and add them to the administrator's group, which are then used to evade detection, escalate privileges, and remain persistent in the environment. Attackers move laterally in the environment by abusing RDP, scheduled tasks, and Windows Management Instrumentation Command (WMIC).
Vulnerabilities and Impact
IsoMetrix's extensive use of integrated risk management software, while a strength in their industry, also makes them a lucrative target for ransomware groups like Cactus. The company's reliance on comprehensive data management and compliance with international standards means that any disruption can have significant operational and reputational impacts. The attack underscores the importance of robust cybersecurity measures, particularly for companies handling sensitive and regulatory-compliant data.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.