Cactus Ransomware Group Targets Dahl Valve Limited in Major Cyber Attack

Dahl Valve Limited, a prominent Canadian manufacturer specializing in high-quality plumbing and heating valves, has become the latest victim of a ransomware attack orchestrated by the Cactus ransomware group. The attack, which has been claimed by the cybercriminals on their dark web leak site, has resulted in the exfiltration of 80GB of sensitive data.

About Dahl Valve Limited

Founded with a commitment to excellence, Dahl Valve Limited is renowned for its comprehensive range of products, particularly its 1/4-turn mini-ball valves. The company emphasizes durability and reliability, using American brass and precision engineering to ensure that their products perform effectively under various conditions. Dahl Valve's product line includes mini-ball valves, globe-style valves, balancing valves, and various fittings and accessories. The company is also noted for its ability to produce custom valve configurations quickly, often within 24 hours, which is a unique service in the plumbing industry.

Attack Overview

The Cactus ransomware group has claimed responsibility for the breach, asserting that they have exfiltrated 80GB of sensitive data from Dahl Valve Limited. This stolen information reportedly includes Personal Identifiable Information (PII), corporate data, agreements and contracts, financial documents, and database backups. To substantiate their claims, the attackers have provided some proof of the exfiltrated data.

About the Cactus Ransomware Group

First discovered in March 2023, the Cactus ransomware group operates as a ransomware-as-a-service (RaaS) and is known for exploiting vulnerabilities and leveraging malvertising lures for targeted attacks. The group has been observed exploiting the ZeroLogon vulnerability, tracked as CVE-2020-1472, which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations of all sizes across various industries.

Penetration and Techniques

Cactus ransomware employs unique encryption techniques to avoid detection, using a batch script to obtain the encryptor binary using 7-Zip and then deploying the encryptor binary with an execution flag and removing the original ZIP archive. The group uses different file extensions for targeted files before and after encryption, changing the file extension to CTS0 before encryption and CTS1 after encryption. The attackers create multiple accounts and add them to the administrator's group, which are then used to evade detection, escalate privileges, and remain persistent in the environment. They move laterally by abusing RDP, scheduled tasks, and Windows Management Instrumentation Command (WMIC).

Vulnerabilities and Impact

Dahl Valve Limited's commitment to quality and rapid custom solutions makes it a standout in the industry. However, like many specialized manufacturing firms, it may have vulnerabilities that can be exploited by sophisticated threat actors. The attack on Dahl Valve underscores the importance of cybersecurity measures, especially for companies handling sensitive data and intellectual property.

Sources

• Dahl Valve Limited
• StoneFly: Cactus Ransomware
• SOCRadar: Cactus Ransomware Techniques
• Talos Intelligence: Quarterly Report
• Tanium: Ransomware Spikes