Pierluigi Paganini January 30, 2024

Energy management and industrial automation firm Schneider Electric suffered a data breach after a Cactus ransomware attack.

Schneider Electric is a multinational company that specializes in energy management, industrial automation, and digital transformation.

BleepingComputer first reported the attack that hit the Sustainability Business division of the company on January 17th. BleepingComputer contacted Schneider Electric which confirmed the data breach.

The attack was carried out by the Cactus ransomware gang, which claims to have stolen terabytes of corporate data from the company.

The attack impacted the services of Schneider Electric’s Resource Advisor cloud platform causing outages.

Schneider Electric said that other divisions of the company were not impacted by the cyber attack.

The company is working to restore the impacted systems and is investigating the incident with the help of leading cybersecurity firms,

The Cactus ransomware operation has been active since March 2023, despite the threat actors use a double-extortion model, their data leak site has yet to be discovered.

Kroll researchers reported that the ransomware strain outstands for the use of encryption to protect the ransomware binary.

Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to look for other targets on the network along with PowerShell commands to enumerate endpoints. The ransomware identifies user accounts by viewing successful logins in Windows Event Viewer, it also uses a modified variant of the open-source PSnmap Tool.

The Cactus ransomware relies on multiple legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) to achieve remote access and uses Cobalt Strike and the proxy tool Chisel in post-exploitation activities.

Once the malware has escalated the privileges on a machine, the threat actors use a batch script to uninstall popular antivirus solutions installed on the machine.

Cactus uses the Rclone tool for data exfiltration and used a PowerShell script called TotalExec, which was used in the past by BlackBasta ransomware operators, to automate the deployment of the encryption process.

In early January, the Cactus ransomware group claimed to have hacked Coop, one of the largest retail and grocery providers in Sweden.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Schneider Electric)