Mihlfeld & Associates Hit by Cactus Ransomware: 316GB Data Breach

Incident Date:

August 8, 2024

World map

Overview

Title

Mihlfeld & Associates Hit by Cactus Ransomware: 316GB Data Breach

Victim

Mihlfeld & Associates

Attacker

Cactus

Location

Springfield, USA

Missouri, USA

First Reported

August 8, 2024

Ransomware Attack on Mihlfeld & Associates by Cactus Group

Mihlfeld & Associates, a prominent logistics consulting firm, has recently fallen victim to a ransomware attack orchestrated by the Cactus ransomware group. The attack, discovered on August 8, 2024, has resulted in a significant data breach, compromising 316GB of sensitive information. The attackers have demanded a ransom of $88.2 million, posing a substantial risk to the firm's operations and client confidentiality.

About Mihlfeld & Associates

Established on March 31, 1994, Mihlfeld & Associates (M&A) specializes in providing logistics services and technology aimed at reducing costs, improving efficiency, and enhancing value for its clients. Operating as a non-asset-based company, M&A maintains an unbiased approach in its consulting services, fostering a collaborative environment essential for optimizing clients' logistics operations. The firm offers specialized transportation, distribution, and information services, leveraging advanced data analytics capabilities to provide real-time insights into freight costs and operational efficiency.

What Makes M&A Stand Out

M&A is renowned for its exceptional customer service and innovative reporting capabilities. The firm emphasizes meticulous data collection and analysis, providing customized web reporting and dashboards that enable clients to make informed decisions. This focus on business intelligence has led to significant savings for clients, with reported savings of $960,000 within the first 90 days of invoice auditing for one client. M&A's commitment to continuous improvement and client success positions it as a valuable partner in the logistics consulting industry.

Vulnerabilities and Attack Overview

The Cactus ransomware group exploited vulnerabilities in M&A's systems to execute the attack. Cactus is known for leveraging malvertising lures and exploiting the ZeroLogon vulnerability (CVE-2020-1472), which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access. The group employs unique encryption techniques to avoid detection, using custom scripts to disable security tools and distribute the ransomware. In this attack, Cactus compromised 316GB of sensitive data, demanding a ransom of $88.2 million.

About the Cactus Ransomware Group

First discovered in March 2023, the Cactus ransomware group operates as a ransomware-as-a-service (RaaS). The group is known for its sophisticated tactics and techniques, aligning with the MITRE ATT&CK Framework. Cactus employs unique encryption methods, using a batch script to obtain the encryptor binary via 7-Zip and deploying it with an execution flag. The group targets organizations across various industries, appending the file extension “.cts1” to encrypted files. Cactus's ability to exploit vulnerabilities and evade detection makes it a significant threat in the ransomware landscape.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.