A new ransomware operation called Cactus has been identified targeting large commercial entities. The hackers have been active since at least March and are using encryption to protect the ransomware binary. Researchers have observed that the hackers are exploiting known vulnerabilities in Fortinet VPN appliances. Cactus is different from other ransomware operations in that it essentially encrypts itself, making it more challenging to detect and helping it evade antivirus and network monitoring tools. To ensure file encryption is possible, a unique AES key, known only to the attackers, is hardcoded into the encryptor binary. The malware uses multiple extensions for the files it targets, depending on the processing state.
Once inside the network, the attackers use a scheduled task for persistent access, and a backdoor is installed through an SSH connection. The threat actor uses PowerShell commands to enumerate endpoints, identify user accounts by viewing successful logins in Windows Event Viewer, and ping remote hosts. The researchers also found that the attacker used a modified variant of the open-source PSnmap Tool, which is a PowerShell equivalent of the nmap network scanner. The ransomware operators use a batch script that uninstalls the most commonly used antivirus products.
Cactus ransomware also steals data from the victim. For this process, the threat actor uses the Rclone tool to transfer files straight to cloud storage. After exfiltrating data, the hackers used a PowerShell script called TotalExec to automate the deployment of the encryption process. At present, there is no public information about the ransoms demanded by Cactus, but it is believed that they are in the millions. The hackers threaten victims with publishing stolen files unless they get paid.
Cactus ransomware’s TTPs include using multiple remote access methods through legitimate tools, such as Splashtop, AnyDesk, SuperOps RMM, along with Cobalt Strike and the Go-based proxy tool Chisel. Cactus ransomware has not set up a leak site like other ransomware operations involved in double-extortion. Despite this, the encryption routine in Cactus ransomware attacks is unique, but it does not appear to be particular to Cactus, as a similar encryption process has also been adopted recently by the BlackBasta ransomware gang.
