EXCO GmbH Targeted by Cactus Ransomware Group: A Detailed Analysis

EXCO GmbH, a prominent technical service provider headquartered in Frankenthal, Germany, has recently fallen victim to a ransomware attack orchestrated by the Cactus ransomware group. The attack has compromised a substantial 251GB of sensitive organizational data, with the attackers already disclosing 1% of the stolen information on their dark web leak site.

About EXCO GmbH

Founded in 1994, EXCO GmbH has established itself as a trusted partner for leading manufacturers and systems providers in regulated industries. The company specializes in quality assurance and engineering solutions, focusing on software engineering, system development, automation, and quality assurance. With over 300 employees, EXCO serves clients primarily in the medical, pharmaceutical, biotechnology, food technology, and chemical industries. The company is known for its commitment to quality, holding certifications such as DIN EN ISO 13485 and 9001.

Attack Overview

The Cactus ransomware group claims to have infiltrated EXCO GmbH's systems, gaining access to a wide array of critical information. The compromised data includes personal identifiable information, personal and corporate data of employees and executives, customer data, financial documents, contracts, and corporate correspondence. The exposure of such extensive and varied data poses significant risks to the privacy and security of all stakeholders involved.

About the Cactus Ransomware Group

First discovered in March 2023, the Cactus ransomware group operates as a ransomware-as-a-service (RaaS). The group is known for exploiting vulnerabilities and leveraging malvertising lures for targeted attacks. They have been observed exploiting the ZeroLogon vulnerability (CVE-2020-1472), which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations of all sizes across various industries.

Penetration and Techniques

The Cactus ransomware group employs unique encryption techniques to avoid detection. They use a batch script to obtain the encryptor binary using 7-Zip and then deploy the encryptor binary with an execution flag, removing the original ZIP archive. The group appends the file extension “.cts1” to the end of encrypted files, with the numerical value varying between victims. Their attacks often involve creating multiple accounts and adding them to the administrator's group, which are then used to evade detection, escalate privileges, and remain persistent in the environment. Attackers move laterally by abusing RDP, scheduled tasks, and Windows Management Instrumentation Command (WMIC).

Vulnerabilities and Impact

EXCO GmbH's extensive involvement in highly regulated industries makes it a lucrative target for ransomware groups like Cactus. The company's reliance on sensitive data and stringent regulatory compliance requirements heightens the impact of such breaches. The attack not only jeopardizes the privacy and security of EXCO's stakeholders but also threatens the company's reputation and operational integrity.

Sources

• EXCO GmbH - Startpage
• EXCO GmbH - Company
• StoneFly - Cactus Ransomware
• SOCRadar - Cactus Ransomware
• Talos Intelligence - Quarterly Report