Cactus Ransomware Group Strikes Freedom Profit Recovery, Inc.

Incident Date:

June 6, 2024

World map

Overview

Title

Cactus Ransomware Group Strikes Freedom Profit Recovery, Inc.

Victim

Freedom Profit Recovery, Inc.

Attacker

Cactus

Location

Irving, USA

Texas, USA

First Reported

June 6, 2024

Cactus Ransomware Group Targets Freedom Profit Recovery, Inc.

Overview of the Attack

The Cactus ransomware group has claimed responsibility for a cyberattack on Freedom Profit Recovery, Inc. (FPR), a consulting and technology services firm based in Irving, Texas. The attack compromised sensitive information, including personal data of employees and executives, contracts, reports, and customer data. The ransom note left by the attackers warned against interrupting the encryption process to avoid data corruption and highlighted the exfiltration of confidential information.

About Freedom Profit Recovery, Inc.

Founded in 2001, Freedom Profit Recovery, Inc. specializes in helping companies reduce costs and improve efficiency in document output expense management, telecom expense management, and electricity expense management. With over 100 employees and an estimated annual revenue of $10-$20 million, FPR stands out for its independent, cost-recovery-focused consultancy services. The company’s unique VISIONAnalysis™ process combines expertise and intelligence to deliver significant value and cost savings to clients.

Vulnerabilities and Targeting

FPR's focus on managing sensitive financial and operational data makes it an attractive target for ransomware groups like Cactus. The company's extensive use of technology services and outsourcing could present multiple entry points for cyber attackers. The Cactus group is known for exploiting vulnerabilities such as ZeroLogon (CVE-2020-1472) and using custom scripts to disable security tools, which may have facilitated their penetration into FPR's systems.

About the Cactus Ransomware Group

First discovered in March 2023, the Cactus ransomware group operates as a ransomware-as-a-service (RaaS). The group employs sophisticated tactics and techniques aligned with the MITRE ATT&CK Framework, including unique encryption methods to avoid detection. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations across various industries. The group’s attacks often involve creating multiple accounts to evade detection and escalate privileges.

Penetration Techniques

Cactus ransomware affiliates are known for exploiting vulnerabilities and leveraging malvertising lures. In the case of FPR, the attackers may have used the ZeroLogon vulnerability to gain domain administrator access. The group’s use of batch scripts to deploy the encryptor binary and change file extensions before and after encryption further complicates detection and mitigation efforts.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.