Leonard's Syrups Faces Major Data Breach in Cactus Ransomware Attack

Incident Date:

July 30, 2024

World map

Overview

Title

Leonard's Syrups Faces Major Data Breach in Cactus Ransomware Attack

Victim

Leonard's Syrups

Attacker

Cactus

Location

Detroit, USA

Michigan, USA

First Reported

July 30, 2024

Leonard's Syrups Hit by Cactus Ransomware Attack

Leonard's Syrups, a family-owned beverage company based in Detroit, Michigan, has become the latest victim of a ransomware attack orchestrated by the Cactus ransomware group. The attack, which was disclosed on July 31, has led to a significant data breach, affecting various aspects of the company's operations.

Company Overview

Leonard's Syrups, established in 1964 by Leonard Bugajewski Sr. and his son Leonard Jr., is renowned for its extensive range of beverage products and services. The company specializes in soda syrups, beverage gases, and related equipment, serving a diverse clientele that includes restaurants and convenience stores. With multiple locations across Michigan, including Detroit, Saginaw, and Grand Rapids, Leonard's Syrups has built a reputation for excellent customer service and quality products.

Details of the Attack

The ransomware attack has compromised financial records, customer data, internal communications, and potentially technical details related to the company's operations. While some evidence of the breach has surfaced online, comprehensive details remain scarce. Leonard's Syrups has yet to issue a public statement regarding the incident, and the situation is currently under investigation.

About the Cactus Ransomware Group

The Cactus ransomware group, first discovered in March 2023, operates as a ransomware-as-a-service (RaaS). The group is known for exploiting vulnerabilities and leveraging malvertising lures for targeted attacks. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations of all sizes across various industries.

Cactus ransomware employs unique encryption techniques to avoid detection. The group uses a batch script to obtain the encryptor binary using 7-Zip and then deploys the encryptor binary with an execution flag, removing the original ZIP archive. The ransomware appends the file extension “.cts1” to the end of encrypted files, with the numerical value varying between victims.

Potential Vulnerabilities

Leonard's Syrups, like many companies in the manufacturing sector, may have been vulnerable due to outdated security measures or unpatched systems. The Cactus group has been observed exploiting the ZeroLogon vulnerability, tracked as CVE-2020-1472, which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access. This vulnerability could have been a potential entry point for the attackers.

The attack on Leonard's Syrups underscores the growing threat of ransomware attacks on businesses of all sizes. As the investigation continues, the company will need to address the vulnerabilities that allowed this breach to occur and take steps to prevent future incidents.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.