EXCO GmbH Hit by Cactus Ransomware: 251GB Data Compromised
Incident Date:
August 5, 2024
Overview
Title
EXCO GmbH Hit by Cactus Ransomware: 251GB Data Compromised
Victim
EXCO GmbH
Attacker
Cactus
Location
First Reported
August 5, 2024
EXCO GmbH Targeted by Cactus Ransomware Group: A Detailed Analysis
EXCO GmbH, a prominent technical service provider headquartered in Frankenthal, Germany, has recently fallen victim to a ransomware attack orchestrated by the Cactus ransomware group. The attack has compromised a substantial 251GB of sensitive organizational data, with the attackers already disclosing 1% of the stolen information on their dark web leak site.
About EXCO GmbH
Founded in 1994, EXCO GmbH has established itself as a trusted partner for leading manufacturers and systems providers in regulated industries. The company specializes in quality assurance and engineering solutions, focusing on software engineering, system development, automation, and quality assurance. With over 300 employees, EXCO serves clients primarily in the medical, pharmaceutical, biotechnology, food technology, and chemical industries. The company is known for its commitment to quality, holding certifications such as DIN EN ISO 13485 and 9001.
Attack Overview
The Cactus ransomware group claims to have infiltrated EXCO GmbH's systems, gaining access to a wide array of critical information. The compromised data includes personal identifiable information, personal and corporate data of employees and executives, customer data, financial documents, contracts, and corporate correspondence. The exposure of such extensive and varied data poses significant risks to the privacy and security of all stakeholders involved.
About the Cactus Ransomware Group
First discovered in March 2023, the Cactus ransomware group operates as a ransomware-as-a-service (RaaS). The group is known for exploiting vulnerabilities and leveraging malvertising lures for targeted attacks. They have been observed exploiting the ZeroLogon vulnerability (CVE-2020-1472), which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations of all sizes across various industries.
Penetration and Techniques
The Cactus ransomware group employs unique encryption techniques to avoid detection. They use a batch script to obtain the encryptor binary using 7-Zip and then deploy the encryptor binary with an execution flag, removing the original ZIP archive. The group appends the file extension “.cts1” to the end of encrypted files, with the numerical value varying between victims. Their attacks often involve creating multiple accounts and adding them to the administrator's group, which are then used to evade detection, escalate privileges, and remain persistent in the environment. Attackers move laterally by abusing RDP, scheduled tasks, and Windows Management Instrumentation Command (WMIC).
Vulnerabilities and Impact
EXCO GmbH's extensive involvement in highly regulated industries makes it a lucrative target for ransomware groups like Cactus. The company's reliance on sensitive data and stringent regulatory compliance requirements heightens the impact of such breaches. The attack not only jeopardizes the privacy and security of EXCO's stakeholders but also threatens the company's reputation and operational integrity.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.