Hydmech Hit by Major Ransomware Attack, 980GB of Data Compromised
Incident Date:
June 24, 2024
Overview
Title
Hydmech Hit by Major Ransomware Attack, 980GB of Data Compromised
Victim
Hydmech
Attacker
Cactus
Location
First Reported
June 24, 2024
Ransomware Attack on Hydmech by Cactus Ransomware Group
Overview of Hydmech
Hydmech, headquartered in Woodstock, Ontario, Canada, is a leading manufacturer specializing in industrial saws and material handling equipment. Established in 1978, the company has grown to become the largest North American band saw manufacturer. Hydmech's product range includes band saws, cold saws, and material handling systems, serving industries such as metalworking, automotive, aerospace, and construction. The company employs around 70 people and generates an annual revenue of $47.2 million.
What Makes Hydmech Stand Out
Hydmech is known for its high-quality, durable, and efficient sawing solutions. Their band saws, available in various configurations, are praised for their precision, reliability, and advanced features like programmable controls and automatic feed systems. Cold saws, another key product, are designed for clean, precise cuts with minimal burrs. Hydmech also offers comprehensive support services, including installation, maintenance, and training, ensuring customer satisfaction and long-term reliability of their products.
Details of the Ransomware Attack
On June 25, 2024, Hydmech was targeted by a ransomware attack executed by the Cactus ransomware group. The attack led to a significant data breach, with 980GB of sensitive information compromised. The leaked data included engineering drawings, research and development data, quality assurance documents, personal identification information, customer agreements, confidential HR data, personal folders of executives and employees, and financial statements including payroll. The attackers have made this data available on the dark web.
About the Cactus Ransomware Group
The Cactus ransomware group, identified in March 2023, operates as a ransomware-as-a-service (RaaS). The group is notorious for exploiting vulnerabilities and using malvertising lures for targeted attacks. They have been known to exploit the ZeroLogon vulnerability (CVE-2020-1472), which allows remote unauthenticated attackers to access domain controllers and gain domain administrator access. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting various industries.
How Cactus Ransomware Group Distinguishes Itself
Cactus ransomware employs unique encryption techniques to avoid detection. The group uses a batch script to obtain the encryptor binary using 7-Zip, then deploys the encryptor binary with an execution flag and removes the original ZIP archive. They change the file extension to CTS0 before encryption and CTS1 after encryption. The group's attacks often involve creating multiple accounts and adding them to the administrator's group, which are then used to evade detection, escalate privileges, and remain persistent in the environment. Attackers move laterally by abusing RDP, scheduled tasks, and Windows Management Instrumentation Command (WMIC).
Potential Vulnerabilities and Penetration Methods
Hydmech, like many organizations, may have been vulnerable due to unpatched systems, weak security protocols, or insufficient monitoring of network activities. The Cactus ransomware group could have penetrated Hydmech's systems by exploiting known vulnerabilities such as ZeroLogon, using phishing attacks, or leveraging malvertising lures. Once inside, the attackers likely used custom scripts to disable security tools and deploy the ransomware, leading to the extensive data breach.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.