The Cactus Ransomware Gang's Attack on OmniVision Technologies

The Cactus ransomware gang has attacked Omnivision Technologies. OmniVision Technologies is a company that specializes in the design and manufacturing of advanced digital imaging sensors and solutions. Founded in 1996 and headquartered in Santa Clara, California, the company has become a prominent player in the global image sensor industry. OmniVision's products are used in a wide range of applications, including smartphones, tablets, automotive systems, medical devices, security cameras, and various other consumer and industrial devices.

Cactus posted Omnivision Technologies to its data leak site on October 16th but provided no further details. Cactus has been in operation since at least March 2023. Cactus has been observed employing known vulnerabilities within VPN appliances to initiate an initial breach. Once gaining entry to the network, Cactus operators engage in activities such as enumerating local and network user accounts and identifying accessible endpoints. They then proceed to generate new user accounts and utilize custom scripts for the automated rollout and activation of the ransomware encryptor through scheduled tasks.

It is noteworthy that the ransomware encryptor utilized by Cactus exhibits a unique characteristic – it necessitates a decryption key for the execution of the binary, likely implemented to evade detection by anti-virus software. This decryption key is concealed within a file containing random text named ntuser.dat, which is loaded through a scheduled task.