Ranger American Security Hit by Cactus Ransomware Attack
Incident Date:
September 3, 2024
Overview
Title
Ranger American Security Hit by Cactus Ransomware Attack
Victim
Ranger American
Attacker
Cactus
Location
First Reported
September 3, 2024
Ranger American Hit by Cactus Ransomware Attack
Ranger American, a prominent security services company specializing in residential and commercial security systems, has fallen victim to a ransomware attack orchestrated by the Cactus group. The attack has resulted in the exfiltration of 218GB of sensitive data, with a ransom demand of $52.9 million.
About Ranger American
Ranger American, officially known as Ranger American Armored Services, Inc., is headquartered in San Antonio, Texas. The company employs between 1,000 and 5,000 individuals and offers a range of security solutions, including electronic security systems, armed transportation, and security officer services. Known for its customer-centric approach, Ranger American has established a significant presence in the security industry, particularly in Puerto Rico.
Attack Overview
The Cactus ransomware group has claimed responsibility for the attack on Ranger American via their dark web leak site. The breach has compromised a wide array of sensitive information, including Personal Identifiable Information (PII), customer details, contracts, employee and executive data, accounting and payroll records, and corporate correspondence. Despite the exfiltration of 218GB of data, less than 1% has been disclosed publicly.
About the Cactus Ransomware Group
Identified in March 2023, the Cactus ransomware group has quickly become a notable player in the ransomware landscape. The group employs sophisticated tactics, including exploiting vulnerabilities in VPN appliances and leveraging phishing attacks. Cactus ransomware is known for its double-extortion strategy, encrypting data and threatening to leak sensitive information if the ransom is not paid. The malware uses a combination of RSA and AES algorithms for encryption and employs various obfuscation techniques to evade detection.
Penetration and Vulnerabilities
Cactus primarily gains access to networks by exploiting known vulnerabilities in VPN devices, notably those from Fortinet. The group also utilizes phishing attacks and purchases stolen credentials from underground forums. Once inside a network, Cactus establishes command and control communications via SSH and uses Scheduled Tasks to maintain persistence. The malware performs network scanning to identify additional targets and often disables security software to facilitate its operations.
Impact on Ranger American
The ransomware attack on Ranger American underscores the vulnerabilities that even well-established security companies face. The breach has not only compromised sensitive data but also poses a significant financial threat with the substantial ransom demand. The incident highlights the importance of continuous vigilance against evolving cyber threats.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.