Leonard's Syrups Faces Major Data Breach in Cactus Ransomware Attack
Incident Date:
July 30, 2024
Overview
Title
Leonard's Syrups Faces Major Data Breach in Cactus Ransomware Attack
Victim
Leonard's Syrups
Attacker
Cactus
Location
First Reported
July 30, 2024
Leonard's Syrups Hit by Cactus Ransomware Attack
Leonard's Syrups, a family-owned beverage company based in Detroit, Michigan, has become the latest victim of a ransomware attack orchestrated by the Cactus ransomware group. The attack, which was disclosed on July 31, has led to a significant data breach, affecting various aspects of the company's operations.
Company Overview
Leonard's Syrups, established in 1964 by Leonard Bugajewski Sr. and his son Leonard Jr., is renowned for its extensive range of beverage products and services. The company specializes in soda syrups, beverage gases, and related equipment, serving a diverse clientele that includes restaurants and convenience stores. With multiple locations across Michigan, including Detroit, Saginaw, and Grand Rapids, Leonard's Syrups has built a reputation for excellent customer service and quality products.
Details of the Attack
The ransomware attack has compromised financial records, customer data, internal communications, and potentially technical details related to the company's operations. While some evidence of the breach has surfaced online, comprehensive details remain scarce. Leonard's Syrups has yet to issue a public statement regarding the incident, and the situation is currently under investigation.
About the Cactus Ransomware Group
The Cactus ransomware group, first discovered in March 2023, operates as a ransomware-as-a-service (RaaS). The group is known for exploiting vulnerabilities and leveraging malvertising lures for targeted attacks. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations of all sizes across various industries.
Cactus ransomware employs unique encryption techniques to avoid detection. The group uses a batch script to obtain the encryptor binary using 7-Zip and then deploys the encryptor binary with an execution flag, removing the original ZIP archive. The ransomware appends the file extension “.cts1” to the end of encrypted files, with the numerical value varying between victims.
Potential Vulnerabilities
Leonard's Syrups, like many companies in the manufacturing sector, may have been vulnerable due to outdated security measures or unpatched systems. The Cactus group has been observed exploiting the ZeroLogon vulnerability, tracked as CVE-2020-1472, which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access. This vulnerability could have been a potential entry point for the attackers.
The attack on Leonard's Syrups underscores the growing threat of ransomware attacks on businesses of all sizes. As the investigation continues, the company will need to address the vulnerabilities that allowed this breach to occur and take steps to prevent future incidents.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.