Cactus Ransomware | |
Location | Unknown |
Date of initial activity | 2023 |
Suspected attribution | Unknown |
Associated Groups | The TotalExec.ps1 script used by Cactus was being used by the Black Basta group in 2022. The Cactus Tactics, Techniques and Procedures (TTPs) are similar to those of Magnet Goblin, but researchers haven’t yet confirmed a connection between them. |
Motivation | Financial gain |
Associated tools | Splashtop, AnyDesk, SuperOps RMM software, Cobalt Strike, Chisel. |
Active | Yes |
Overview
Common targets
Target Countries: The U.S., The U.K., Canada, Australia, France, Italy, Switzerland, Germany, Portugal.
Target Sectors: Manufacturing, Professional Services, Wholesale, Finance, Transportation.
Attack Vectors
Exploit vulnerabilities in VPNs and Qlik Sense to infiltrate the victims infrastructures
How they operate
The Cactus ransomware group exhibits a knack for stealth, executing its malicious endeavors with a cloak of sophistication and intricacy. Here’s a breakdown of the phases Cactus ransomware typically undergoes during its operations:
Initial Access
Cactus Ransomware capitalizes on vulnerabilities in VPN devices to infiltrate the target’s infrastructure covertly. This phase involves exploiting VPN weaknesses, establishing an SSH backdoor for unauthorized access, and ensuring a persistent foothold within the compromised network.
Infection Chain
Cactus employs a convoluted infection chain, navigating through layers of obfuscation and evasion techniques. Using a batch script to execute the ransomware sample via 7-Zip, Cactus encrypts itself to evade detection and embed within the system. This multifaceted attack chain involves exploiting VPN vulnerabilities, employing remote access tools like Splashtop or AnyDesk, managing operations with SuperOps RMM software, simulating attacks with Cobalt Strike, establishing encrypted communication channels with Chisel, and exfiltrating credentials.
Encryption Phase
Once entrenched, Cactus Ransomware initiates the encryption process, employing AES-256-GCM and RSA-4096 algorithms to securely encrypt the victim’s files, magnifying the impact of the attack. A ransom note titled “cAcTuS.readme.txt” is then released, instilling panic and urgency in the victim.
Data Exfiltration and Leaks
Cactus goes beyond encryption, threatening to leak the victim’s data on its dark web data leak portal if the ransom is not paid, employing the double extortion method. This portal becomes a looming threat, extending the repercussions of the attack beyond encryption to compromise data integrity and inflict reputation damage.
Persistence
To ensure its sustained presence, Cactus Ransomware creates a scheduled task named “Updates Check Task,” executing every 5 minutes to run the ransomware as SYSTEM, enabling its malicious activities to persist seamlessly.
Significant Attacks
- Schneider Electric suffers a Cactus ransomware attack leading to the theft of corporate data. (January 2024)
References:
- Energy giant Schneider Electric hit by Cactus ransomware attack
- Dark Web Profile: Cactus Ransomware
- CACTUS Ransomware: Prickly New Variant Evades Detection
- CACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks
- Who is behind Cactus ransomware?
- Qlik Sense Exploited in Cactus Ransomware Campaign
