Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Threat Actors

Cactus (Ransomware Group) – Threat Actor

April 19, 2024
Reading Time: 16 mins read
in Ransomware Group, Threat Actors
Cactus (Ransomware Group) – Threat Actor

Cactus Ransomware

Location

Unknown

Date of initial activity

2023

Suspected attribution

Unknown

Associated Groups

The TotalExec.ps1 script used by Cactus was being used by the Black Basta group in 2022. The Cactus Tactics, Techniques and Procedures (TTPs) are similar to those of Magnet Goblin, but researchers haven’t yet confirmed a connection between them.

Motivation

Financial gain

Associated tools

Splashtop, AnyDesk, SuperOps RMM software, Cobalt Strike, Chisel.

Active

Yes

Overview

Since its discovery in March 2023, the Cactus Ransomware Group has swiftly expanded its presence across digital platforms, exploiting weaknesses, notably in VPNs, to infiltrate systems illicitly and establish control over compromised networks. Exhibiting a nuanced grasp of evasion tactics, the group employs dynamic encryption methods and a diverse array of tools to stealthily deploy its malicious payload with maximum efficiency and discretion. Cactus goes beyond mere encryption, establishing a robust foothold within compromised systems through intricate infection chains and layers of obfuscation. Employing tactics like UPX packing and encryption algorithms such as OpenSSL, AES OCB, and ChaCha20_Poly1305, the threat actor orchestrates restart executions and network share enumerations. This multifaceted approach ensures the success of its attacks while maintaining a veil of secrecy around its operations.

Common targets

Target Countries: The U.S., The U.K., Canada, Australia, France, Italy, Switzerland, Germany, Portugal.

Target Sectors: Manufacturing, Professional Services, Wholesale, Finance, Transportation.

Attack Vectors

Exploit vulnerabilities in VPNs and Qlik Sense to infiltrate the victims infrastructures

How they operate

The Cactus ransomware group exhibits a knack for stealth, executing its malicious endeavors with a cloak of sophistication and intricacy. Here’s a breakdown of the phases Cactus ransomware typically undergoes during its operations: Initial Access Cactus Ransomware capitalizes on vulnerabilities in VPN devices to infiltrate the target’s infrastructure covertly. This phase involves exploiting VPN weaknesses, establishing an SSH backdoor for unauthorized access, and ensuring a persistent foothold within the compromised network. Infection Chain Cactus employs a convoluted infection chain, navigating through layers of obfuscation and evasion techniques. Using a batch script to execute the ransomware sample via 7-Zip, Cactus encrypts itself to evade detection and embed within the system. This multifaceted attack chain involves exploiting VPN vulnerabilities, employing remote access tools like Splashtop or AnyDesk, managing operations with SuperOps RMM software, simulating attacks with Cobalt Strike, establishing encrypted communication channels with Chisel, and exfiltrating credentials. Encryption Phase Once entrenched, Cactus Ransomware initiates the encryption process, employing AES-256-GCM and RSA-4096 algorithms to securely encrypt the victim’s files, magnifying the impact of the attack. A ransom note titled “cAcTuS.readme.txt” is then released, instilling panic and urgency in the victim. Data Exfiltration and Leaks Cactus goes beyond encryption, threatening to leak the victim’s data on its dark web data leak portal if the ransom is not paid, employing the double extortion method. This portal becomes a looming threat, extending the repercussions of the attack beyond encryption to compromise data integrity and inflict reputation damage. Persistence To ensure its sustained presence, Cactus Ransomware creates a scheduled task named “Updates Check Task,” executing every 5 minutes to run the ransomware as SYSTEM, enabling its malicious activities to persist seamlessly.

Significant Attacks

  • Schneider Electric suffers a Cactus ransomware attack leading to the theft of corporate data. (January 2024)
References:
  • Energy giant Schneider Electric hit by Cactus ransomware attack
  • Dark Web Profile: Cactus Ransomware
  • CACTUS Ransomware: Prickly New Variant Evades Detection
  • CACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks
  • Who is behind Cactus ransomware?
  • Qlik Sense Exploited in Cactus Ransomware Campaign
Tags: AustraliaCactusCanadaFranceGermanyItalyPortugalRansomwareRansomware GroupSwitzerlandThreat ActorsU.S.United KingdomVPNs
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

New OttoKit Flaw Targets WordPress Sites

Mirai Botnet Exploits Vulnerabilities in IoT

Critical Kibana Flaws Allows Code Execution

Subscribe to our newsletter

    Latest Incidents

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    UK Legal Aid Agency Faces Cyber Incident

    South African Airways Hit by Cyberattack

    Coweta County School System Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial