Ransomware Attack on Western Wyoming Beverages by Cactus Group

Western Wyoming Beverages, a prominent beverage distribution company based in Rock Springs, Wyoming, has recently fallen victim to a ransomware attack orchestrated by the Cactus ransomware group. This attack has compromised a significant amount of sensitive data, including database exports, employee personal files, personally identifiable information, financial data, customer data, contracts, and corporate correspondence.

About Western Wyoming Beverages

Established over 50 years ago, Western Wyoming Beverages is a locally owned and operated company specializing in the distribution of a diverse range of beverages, including popular brands such as Budweiser and Pepsi. The company serves various communities in the region, including Rock Springs, Green River, Jackson, Evanston, Kemmerer, Pinedale, Wamsutter, Big Piney, Mt. View, and Lyman. With a workforce of approximately 32 to 200 employees, the company generates an annual revenue of about $57.4 million.

Western Wyoming Beverages is known for its commitment to quality service and community involvement. The company emphasizes the use of local resources, such as glass made from Wyoming trona for Budweiser bottles, connecting their products to the local heritage and mining industry. Their dedication to friendly service and strong community relationships has made them a key player in the local beverage market.

Details of the Attack

The Cactus ransomware group, first discovered in March 2023, operates as a ransomware-as-a-service (RaaS) and is known for exploiting vulnerabilities and leveraging malvertising lures for targeted attacks. The group has been observed exploiting the ZeroLogon vulnerability, tracked as CVE-2020-1472, which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access.

In the case of Western Wyoming Beverages, the attackers have provided proof of the exfiltrated data on two dark web links. The company is currently grappling with the repercussions of this breach and working to mitigate the impact on its operations and stakeholders.

About the Cactus Ransomware Group

Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, targeting organizations of all sizes across various industries. The group employs unique encryption techniques to avoid detection, using a batch script to obtain the encryptor binary using 7-Zip and then deploying the encryptor binary with an execution flag and removing the original ZIP archive. Cactus ransomware's tactics and techniques align with the MITRE ATT&CK Framework, demonstrating a sophisticated understanding of cyber threats.

The group's attacks have been observed to create multiple accounts and add them to the administrator's group, which are then used to evade detection, escalate privileges, and remain persistent in the environment. Attackers move laterally in the environment by abusing RDP, scheduled tasks, and Windows Management Instrumentation Command (WMIC), techniques commonly observed across similar ransomware attacks.

• Western Wyoming Beverages
• Stonefly Blog
• SOCRadar
• Talos Intelligence
• Tanium Blog