Ransomware Attack on Hydmech by Cactus Ransomware Group

Overview of Hydmech

Hydmech, headquartered in Woodstock, Ontario, Canada, is a leading manufacturer specializing in industrial saws and material handling equipment. Established in 1978, the company has grown to become the largest North American band saw manufacturer. Hydmech's product range includes band saws, cold saws, and material handling systems, serving industries such as metalworking, automotive, aerospace, and construction. The company employs around 70 people and generates an annual revenue of $47.2 million.

What Makes Hydmech Stand Out

Hydmech is known for its high-quality, durable, and efficient sawing solutions. Their band saws, available in various configurations, are praised for their precision, reliability, and advanced features like programmable controls and automatic feed systems. Cold saws, another key product, are designed for clean, precise cuts with minimal burrs. Hydmech also offers comprehensive support services, including installation, maintenance, and training, ensuring customer satisfaction and long-term reliability of their products.

Details of the Ransomware Attack

On June 25, 2024, Hydmech was targeted by a ransomware attack executed by the Cactus ransomware group. The attack led to a significant data breach, with 980GB of sensitive information compromised. The leaked data included engineering drawings, research and development data, quality assurance documents, personal identification information, customer agreements, confidential HR data, personal folders of executives and employees, and financial statements including payroll. The attackers have made this data available on the dark web.

About the Cactus Ransomware Group

The Cactus ransomware group, identified in March 2023, operates as a ransomware-as-a-service (RaaS). The group is notorious for exploiting vulnerabilities and using malvertising lures for targeted attacks. They have been known to exploit the ZeroLogon vulnerability (CVE-2020-1472), which allows remote unauthenticated attackers to access domain controllers and gain domain administrator access. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting various industries.

How Cactus Ransomware Group Distinguishes Itself

Cactus ransomware employs unique encryption techniques to avoid detection. The group uses a batch script to obtain the encryptor binary using 7-Zip, then deploys the encryptor binary with an execution flag and removes the original ZIP archive. They change the file extension to CTS0 before encryption and CTS1 after encryption. The group's attacks often involve creating multiple accounts and adding them to the administrator's group, which are then used to evade detection, escalate privileges, and remain persistent in the environment. Attackers move laterally by abusing RDP, scheduled tasks, and Windows Management Instrumentation Command (WMIC).

Potential Vulnerabilities and Penetration Methods

Hydmech, like many organizations, may have been vulnerable due to unpatched systems, weak security protocols, or insufficient monitoring of network activities. The Cactus ransomware group could have penetrated Hydmech's systems by exploiting known vulnerabilities such as ZeroLogon, using phishing attacks, or leveraging malvertising lures. Once inside, the attackers likely used custom scripts to disable security tools and deploy the ransomware, leading to the extensive data breach.

Sources

• Hydmech Official Website
• Talos Intelligence - Quarterly Report Q4 2023
• Tanium - Cyber Threat Intelligence Roundup
• Check Point - Ransomware