TIBA IT Services Hit by Cactus Ransomware: 29GB Data Stolen
Incident Date:
August 8, 2024
Overview
Title
TIBA IT Services Hit by Cactus Ransomware: 29GB Data Stolen
Victim
TIBA IT Services
Attacker
Cactus
Location
First Reported
August 8, 2024
Ransomware Attack on TIBA IT Services by Cactus Group
TIBA IT Services, a prominent provider of outsourced IT infrastructure management and support services in Mexico and Latin America, has recently fallen victim to a ransomware attack orchestrated by the Cactus ransomware group. The attack, discovered on August 8, 2024, resulted in the exfiltration of 29GB of sensitive data, posing significant operational and reputational challenges for the company.
About TIBA IT Services
TIBA IT Services specializes in delivering end-to-end IT solutions, including managed IT services, remote support, and SAP licensing optimization. The company operates under the umbrella of KIO Networks, a leading IT conglomerate in Mexico and Latin America. TIBA IT Services is headquartered in Zapopan, Jalisco, Mexico, and is known for adhering to ITIL standards and implementing best practices in service delivery. The company has a significant presence in the IT services industry, with approximately 948 followers on LinkedIn.
Attack Overview
The Cactus ransomware group managed to infiltrate TIBA IT Services' systems, exfiltrating 29GB of sensitive data. The attack has exposed vulnerabilities in the company's IT infrastructure, highlighting the need for enhanced cybersecurity measures. The perpetrators used sophisticated techniques to disable security tools and distribute the ransomware, targeting the company's critical systems.
About the Cactus Ransomware Group
The Cactus ransomware group, first discovered in March 2023, operates as a ransomware-as-a-service (RaaS). The group is known for exploiting vulnerabilities such as the ZeroLogon vulnerability (CVE-2020-1472) and leveraging malvertising lures for targeted attacks. Cactus ransomware employs unique encryption techniques to avoid detection, using custom scripts to disable security tools and distribute the ransomware. The group’s tactics align with the MITRE ATT&CK Framework, demonstrating a sophisticated understanding of cyber threats.
Penetration Techniques
Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware. They exploit vulnerabilities like ZeroLogon to gain unauthorized access to domain controllers and obtain domain administrator access. The group employs unique encryption techniques, using a batch script to obtain the encryptor binary via 7-Zip, then deploying the encryptor binary with an execution flag and removing the original ZIP archive. These techniques allow the group to evade detection and maintain persistence in the targeted environment.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.