Cactus ransomware hackers say they stole terabytes of Schneider Electric data

ID theft
Image credit: Pixabay (Image credit: Future)

The Cactus ransomware hackers have claimed responsibility for the recent cyberattack on Schneider Electric, claiming to have stolen 1.5TB of sensitive data in the heist.

The ransomware group added the energy giant to its data leak website, posted samples of the stolen data, and are demanding money in exchange for keeping the data secure.

While it is impossible to determine exactly what type of data the group stole at this point, the hackers are thought to have accessed Schneider Electric’s Sustainability Business, which provides renewable energy and regulatory compliance consulting to large corporations around the world. Some of its clients include DHL, Hilton, Lexmark, and Walmart.

Contained attack

The group also posted a 25MB sample, which includes snapshots of people’s passports, and scans of different non-disclosure agreements. The group is now asking for money in exchange for keeping the data safe, but we don’t know exactly how much money they’re asking for, or if Schneider Electric is even interested in paying. 

However, the media argue the data could include sensitive information about client industrial control and automation systems which, if leaked, could turn into an even bigger problem for Schneider.

Cactus is a known threat actor that was first spotted in May 2023, when researchers discovered a ransomware variant that evades detection by encrypting itself. What also makes Cactus interesting is that it has multiple modes of encryption, including a quick mode. If the operators decide to run both modes one after the other, the files will be encrypted twice and will get two file extensions. 

"From a recovery standpoint, Sustainability Business is performing remediation steps to ensure that business platforms will be restored to a secure environment,” the company said in mid-January, when the breach was first detected.  “Teams are currently testing the operational capabilities of impacted systems with the expectation that access will resume in the next two business days.” 

“From a containment standpoint, as Sustainability Business is an autonomous entity operating its isolated network infrastructure, no other entity within the Schneider Electric group has been affected.”

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.