Connect with us

Hi, what are you looking for?



Cactus Ransomware Group Confirms Hacking Schneider Electric

Cactus ransomware has added Schneider Electric to its leak site, claiming to have stolen 1.5 terabytes of data.

The Cactus ransomware gang has claimed responsibility for the cyberattack that French industrial giant Schneider Electric disclosed at the end of January.

The incident, the company said at the time, was discovered on January 17 and only impacted its Sustainability Business division, resulting in severed access to Resource Advisor and other systems used by the division.

Schneider Electric has since updated its incident notification to say that it has restored access to the impacted systems and that the attackers exfiltrated certain Sustainability Business data.

Initial reports suggested that the Cactus ransomware group might have orchestrated the attack, and the suspicions have been confirmed, after the gang listed the French giant on its Tor-based leak website.

According to Cactus, roughly 1.5 terabytes of data were exfiltrated from Schneider Electric’s systems. The ransomware gang has published a small set of allegedly stolen data, including copies of passports and non-disclosure agreements, and is threatening to make it all public unless a ransom is paid.

Schneider Electric’s Sustainability Business provides sustainability consulting services to large organizations worldwide, including Clorox, DHL, Hilton, and PepsiCo. However, it is unclear how many of these clients were affected by the incident.

Active since at least March 2023, Cactus made headlines in November, when security operations firm Arctic Wolf blamed it for the exploitation of vulnerabilities in a product of business analytics firm Qlik.

It was also observed exploiting Fortinet VPN flaws for initial access, creating an SSH backdoor for persistence, relying on remote access tools, stealing credentials, and encrypting data on all accessible systems.

Cactus has been highly active in the recent months and is currently listing more than 100 companies on its leak site.

Advertisement. Scroll to continue reading.

Related: Ransomware Group Takes Credit for LoanDepot, Prudential Financial Attacks

Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders

Related: Ransomware Attack Knocks 100 Romanian Hospitals Offline

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.


Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.