Leonard's Syrups Faces Major Data Breach in Cactus Ransomware Attack
Leonard's Syrups Hit by Cactus Ransomware Attack
Leonard's Syrups, a family-owned beverage company based in Detroit, Michigan, has become the latest victim of a ransomware attack orchestrated by the Cactus ransomware group. The attack, which was disclosed on July 31, has led to a significant data breach, affecting various aspects of the company's operations.
Company Overview
Leonard's Syrups, established in 1964 by Leonard Bugajewski Sr. and his son Leonard Jr., is renowned for its extensive range of beverage products and services. The company specializes in soda syrups, beverage gases, and related equipment, serving a diverse clientele that includes restaurants and convenience stores. With multiple locations across Michigan, including Detroit, Saginaw, and Grand Rapids, Leonard's Syrups has built a reputation for excellent customer service and quality products.
Details of the Attack
The ransomware attack has compromised financial records, customer data, internal communications, and potentially technical details related to the company's operations. While some evidence of the breach has surfaced online, comprehensive details remain scarce. Leonard's Syrups has yet to issue a public statement regarding the incident, and the situation is currently under investigation.
About the Cactus Ransomware Group
The Cactus ransomware group, first discovered in March 2023, operates as a ransomware-as-a-service (RaaS). The group is known for exploiting vulnerabilities and leveraging malvertising lures for targeted attacks. Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations of all sizes across various industries.
Cactus ransomware employs unique encryption techniques to avoid detection. The group uses a batch script to obtain the encryptor binary using 7-Zip and then deploys the encryptor binary with an execution flag, removing the original ZIP archive. The ransomware appends the file extension “.cts1” to the end of encrypted files, with the numerical value varying between victims.
Potential Vulnerabilities
Leonard's Syrups, like many companies in the manufacturing sector, may have been vulnerable due to outdated security measures or unpatched systems. The Cactus group has been observed exploiting the ZeroLogon vulnerability, tracked as CVE-2020-1472, which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access. This vulnerability could have been a potential entry point for the attackers.
The attack on Leonard's Syrups underscores the growing threat of ransomware attacks on businesses of all sizes. As the investigation continues, the company will need to address the vulnerabilities that allowed this breach to occur and take steps to prevent future incidents.
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!