Ransomware Attack Exposes Sensitive Data at Denkai America
Incident Date:
July 30, 2024
Overview
Title
Ransomware Attack Exposes Sensitive Data at Denkai America
Victim
Denkai America
Attacker
Cactus
Location
First Reported
July 30, 2024
Ransomware Attack on Denkai America by Cactus Group
Denkai America, a prominent manufacturer specializing in high-quality electrodeposited copper foils, has recently fallen victim to a ransomware attack orchestrated by the Cactus ransomware group. The breach, disclosed on July 31, has led to the exposure of a wide array of sensitive materials, including business documents, customer information, internal communications, confidential financial records, employee files, and contractual agreements.
Company Overview
Denkai America operates as a subsidiary of Nippon Denkai, Ltd., based in Japan, with its manufacturing headquarters in Camden, South Carolina, USA. The company is recognized for its technological leadership in producing both conventional and application-specific copper foils, which are essential components in various electronic devices. Denkai America primarily serves the printed circuit board (PCB) industry, as well as applications in industrial and energy storage sectors. The company employs advanced manufacturing techniques, notably the electroforming process on revolving titanium drums, to produce copper foils with superior surface quality.
Attack Overview
The ransomware attack on Denkai America has significantly impacted the company, which has an estimated revenue of $18.1 million. The Cactus ransomware group, known for exploiting vulnerabilities and leveraging malvertising lures, claimed responsibility for the attack via their dark web leak site. The breach has exposed a wide array of sensitive materials, and although some evidence of the breach has surfaced online, detailed information remains scarce. Denkai America has yet to issue a public statement regarding the incident.
About the Cactus Ransomware Group
The Cactus ransomware group, first discovered in March 2023, operates as a ransomware-as-a-service (RaaS) and is known for exploiting vulnerabilities such as the ZeroLogon vulnerability (CVE-2020-1472). The group employs unique encryption techniques to avoid detection, using a batch script to obtain the encryptor binary using 7-Zip and then deploying the encryptor binary with an execution flag. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations of all sizes across various industries.
Penetration and Vulnerabilities
Cactus ransomware's tactics and techniques align with the MITRE ATT&CK Framework, demonstrating a sophisticated understanding of cyber threats. The group has been observed creating multiple accounts and adding them to the administrator's group, which are then used to evade detection, escalate privileges, and remain persistent in the environment. Attackers move laterally in the environment by abusing RDP, scheduled tasks, and Windows Management Instrumentation Command (WMIC). Denkai America's focus on high-quality manufacturing processes and technological innovation may have made it an attractive target for threat actors seeking to exploit vulnerabilities in the manufacturing sector.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.