TIBA IT Services Hit by Cactus Ransomware: 29GB Data Stolen
Ransomware Attack on TIBA IT Services by Cactus Group
TIBA IT Services, a prominent provider of outsourced IT infrastructure management and support services in Mexico and Latin America, has recently fallen victim to a ransomware attack orchestrated by the Cactus ransomware group. The attack, discovered on August 8, 2024, resulted in the exfiltration of 29GB of sensitive data, posing significant operational and reputational challenges for the company.
About TIBA IT Services
TIBA IT Services specializes in delivering end-to-end IT solutions, including managed IT services, remote support, and SAP licensing optimization. The company operates under the umbrella of KIO Networks, a leading IT conglomerate in Mexico and Latin America. TIBA IT Services is headquartered in Zapopan, Jalisco, Mexico, and is known for adhering to ITIL standards and implementing best practices in service delivery. The company has a significant presence in the IT services industry, with approximately 948 followers on LinkedIn.
Attack Overview
The Cactus ransomware group managed to infiltrate TIBA IT Services' systems, exfiltrating 29GB of sensitive data. The attack has exposed vulnerabilities in the company's IT infrastructure, highlighting the need for enhanced cybersecurity measures. The perpetrators used sophisticated techniques to disable security tools and distribute the ransomware, targeting the company's critical systems.
About the Cactus Ransomware Group
The Cactus ransomware group, first discovered in March 2023, operates as a ransomware-as-a-service (RaaS). The group is known for exploiting vulnerabilities such as the ZeroLogon vulnerability (CVE-2020-1472) and leveraging malvertising lures for targeted attacks. Cactus ransomware employs unique encryption techniques to avoid detection, using custom scripts to disable security tools and distribute the ransomware. The group’s tactics align with the MITRE ATT&CK Framework, demonstrating a sophisticated understanding of cyber threats.
Penetration Techniques
Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware. They exploit vulnerabilities like ZeroLogon to gain unauthorized access to domain controllers and obtain domain administrator access. The group employs unique encryption techniques, using a batch script to obtain the encryptor binary via 7-Zip, then deploying the encryptor binary with an execution flag and removing the original ZIP archive. These techniques allow the group to evade detection and maintain persistence in the targeted environment.
Sources
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!