Data at Risk: Cactus Group Targets Coop with Major Ransomware Attack

by ·

Recently, the Cactus ransomware group claimed to have infiltrated Sweden’s largest supermarket chain, Coop, threatening to disclose a vast amount of personal information across more than 20,000 directories.

It is understood that Coop operates approximately 800 stores across Sweden, under the umbrella of 29 consumer associations, boasting a membership of 3.5 million individuals. The surplus generated by Coop in its operations is either distributed among its members or reinvested in the business, fostering a cycle of continuous revenue growth.

However, in July 2021, Coop revealed for the first time that it was impacted by a supply chain ransomware attack targeting Kaseya, resulting in the closure of about 500 stores. Although Coop itself did not use Kaseya software, the company was affected due to its payment system supplier, Visma, being impacted by the attack.

Since March 2023, the Cactus ransomware group has remained active. However, due to the threat actors employing a double extortion model, their data leak site has not yet been discovered.

In terms of attack methods, researchers from Kroll reported that the ransomware group uses encryption technology to protect the binary files of the ransomware.

The Cactus ransomware employs the SoftPerfect Network Scanner (netscan) and PowerShell commands to identify and list endpoints on the network. It also uses a modified version of the open-source PSnmap tool to review successful login records in the Windows Event Viewer and identify user accounts. Subsequently, it relies on multiple legitimate tools (such as Splashtop, AnyDesk, SuperOps RMM) for remote access and employs Cobalt Strike and the proxy tool Chisel in the later stages of the attack.

Once the malicious software elevates privileges on a machine, the threat actors use batch scripts to uninstall popular antivirus software installed on that machine to cover their “tracks”.

So, how does the Cactus ransomware execute data theft? They utilize the Rclone tool and a PowerShell script called TotalExec, which was previously used by the operators of BlackBasta ransomware for automating the encryption process.

Tags: