A recent cyberattack by the Cactus ransomware group has exposed a massive amount of sensitive data from three companies: Cleshar, Ammega, and Reny Picot, all giants in their respective industries.
More than 4 terabytes of information has been stolen, putting the personal and financial well-being of thousands of people at risk. Here’s what we’ve been able to gather about the attack from our sources.
The Perpetrators
The Cactus ransomware group, ever since it emerged in March 2023, has quickly become a major cyber threat. Where some groups, like LockBit, target mass numbers of victims, Cactus has shown their modus operandi to be focused on targeting high-profile organizations across various industries - this latest development is a prime example.
Cactus steals sensitive data before encrypting a victim's files. This double extortion tactic, which is very common among proficient ransomware groups, puts extra pressure on victims to pay the ransom, as they face the potential of not just losing their data, but also having it leaked publicly.
The group uses advanced techniques to evade detection and infiltrate systems, mainly exploiting vulnerabilities in VPN appliances and leverage multiple tools to gain remote access and deploy their ransomware.
Victim 1: Cleshar - $1,000,000 Ransom
Cleshar, a well-established company in the UK, founded in 1992, specializes in providing multidisciplinary services for the rail infrastructure sector. Their expertise spans a number of areas like track construction and maintenance, civil engineering, power systems, and even training for rail personnel.
Today, the company has over 1400 employees and works on numerous projects to ensure a safe and efficient rail network across the UK.
According to Cactus, 1 TB of data was stolen from Cleshar’s cloud storage. This data comprises the following items:
- Accounting/treasury/taxes 40GB+
- HR - payrolls/personal documents/dossiers 110GB+
- Customer data - projects\contracts/drawings 130GB+
- Engineering/R&D/QA
- Legal documents 3GB+
- Corporate correspondence 120GB+
- Employees' personal folders
- Database exports\backups
The ransomware group has thousands of documents, pictures, and files in their possession, all of which compromise not just the firm, but its employees as well. Pictured below is an employee’s passport uploaded as proof by Cactus:
Victim 2: Ammega - $9,000,000 Ransom
Ammega is a global leader in industrial solutions, particularly focused on belting, power transmission, and fluid power. Formed in 2018, it's the result of a merger between Ammeraal Beltech, known for conveying solutions, and Megadyne, a leader in power transmission products.
They cater to a wide range of industries, including global logistics, food production, fitness equipment, and even energy production. Most importantly, Ammega is the largest of the three victims in this attack, with over 6,000 employees and operations in 40 countries.
Being the largest firm on this list, it’s also the one that had the largest amount of data stolen - 3 TB as claimed by Cactus. The group states that they have the following data in their possession:
- Accounting/treasury/taxes 250GB+
- HR - payrolls/personal documents/dossiers 150GB+
- Customer data - projects/contracts/drawings 100GB+
- Engineering/R&D/QA 250GB+
- Legal documents
- Corporate correspondence 100GB+
- Employees' personal folders
As with the previous case, Cactus has stolen thousands of confidential documents from the firm. Looking at the types of data compromised, it is clear that the employees and clients of the firm are all at considerable risk. The following shows a confidentiality agreement, signed by Ammega and a partner firm, published by Cactus as proof:
Victim 3: Reny Picot - $1,000,000 Ransom
Reny Picot is a prominent dairy brand founded in 1960 in Asturias, Spain, where they began by filling a gap in the developing Spanish dairy market. Their initial focus was on French-style cheeses, and as their expertise in cheesemaking quickly expanded, they grew to where they are now - a billion-dollar, multinational corporation.
On the way there, the expansion of their operations has seen the company hire roughly 1700 employees worldwide.
Comparatively speaking, Reny Picot has had a smaller amount of data stolen (350 GB). The data, which does not specify exactly how much of what was stolen, includes the following file types:
- Accounting/treasury/taxes
- HR - payrolls/personal documents/dossiers
- Customer data
- Contracts
- Engineering/R&D/QA documents
- Corporate correspondence
- Database exports with client information
- Employees' and executive managers' personal folders and much more.
Despite being a comparatively smaller amount of data, considering the types of documents stolen, it is evident that the firm’s corporate secrets, employee data, and even client data is all at risk. The following shows the national ID card of an employee at Reny Picot, uploaded as proof on Cactus’ site:
4.35 Terabytes of Data Stolen
The breached data has a wide range of categories, including financial records, payroll information, employee personal documents, customer data, and intellectual property. This means that employees of these companies could have their Social Security numbers, bank account details, and even health information exposed.
Cactus might also have customer data, including things like project details, contracts, and drawings, potentially ruining years of business operations and leading to massive losses.
The stolen data presents a huge risk of identity theft and fraud, especially with employee ID cards uploaded with no censorship to protect their identity. Hackers, or malicious individuals in general, could use this stolen personal information to apply for loans, credit cards, or other financial services in the victims' names.
Leaked corporate data, on the other hand, could be used for industrial espionage. With over 9500 employees and countless customers across the three firms, the potential impact of this data breach is farther reaching than any of us may even realize.
The Road Ahead in Cybersecurity
It's important, now more than ever, for the affected companies to be transparent with their employees and customers, take steps to mitigate the damage, and offer support to those whose information may have been compromised.
With malicious groups, such as Cactus, specifically targeting high profile companies with ransomware attacks, the onus on these large corporations to invest in their cybersecurity and ensure that every part of their business is padlocked against threats. This latest attack is yet another reminder of the fact that virtually no one is safe from ransomware threats, and any vulnerabilities that can be exploited in a firm, most likely will be exploited.