TIBA IT Services Hit by Cactus Ransomware: 29GB Data Stolen

Incident Date: Aug 08, 2024

Attack Overview
VICTIM
TIBA IT Services
INDUSTRY
Business Services
LOCATION
Mexico
ATTACKER
Cactus
FIRST REPORTED
August 8, 2024

Ransomware Attack on TIBA IT Services by Cactus Group

TIBA IT Services, a prominent provider of outsourced IT infrastructure management and support services in Mexico and Latin America, has recently fallen victim to a ransomware attack orchestrated by the Cactus ransomware group. The attack, discovered on August 8, 2024, resulted in the exfiltration of 29GB of sensitive data, posing significant operational and reputational challenges for the company.

About TIBA IT Services

TIBA IT Services specializes in delivering end-to-end IT solutions, including managed IT services, remote support, and SAP licensing optimization. The company operates under the umbrella of KIO Networks, a leading IT conglomerate in Mexico and Latin America. TIBA IT Services is headquartered in Zapopan, Jalisco, Mexico, and is known for adhering to ITIL standards and implementing best practices in service delivery. The company has a significant presence in the IT services industry, with approximately 948 followers on LinkedIn.

Attack Overview

The Cactus ransomware group managed to infiltrate TIBA IT Services' systems, exfiltrating 29GB of sensitive data. The attack has exposed vulnerabilities in the company's IT infrastructure, highlighting the need for enhanced cybersecurity measures. The perpetrators used sophisticated techniques to disable security tools and distribute the ransomware, targeting the company's critical systems.

About the Cactus Ransomware Group

The Cactus ransomware group, first discovered in March 2023, operates as a ransomware-as-a-service (RaaS). The group is known for exploiting vulnerabilities such as the ZeroLogon vulnerability (CVE-2020-1472) and leveraging malvertising lures for targeted attacks. Cactus ransomware employs unique encryption techniques to avoid detection, using custom scripts to disable security tools and distribute the ransomware. The group’s tactics align with the MITRE ATT&CK Framework, demonstrating a sophisticated understanding of cyber threats.

Penetration Techniques

Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware. They exploit vulnerabilities like ZeroLogon to gain unauthorized access to domain controllers and obtain domain administrator access. The group employs unique encryption techniques, using a batch script to obtain the encryptor binary via 7-Zip, then deploying the encryptor binary with an execution flag and removing the original ZIP archive. These techniques allow the group to evade detection and maintain persistence in the targeted environment.

Sources

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.