Cactus | |
Type of Malware | Ransomware |
Country of Origin | Unknown |
Date of initial activity | 2023 |
Associated Groups | Cactus Ransomware Group |
Targeted Countries | The U.S., The U.K., Canada, Australia, France, Italy, Switzerland, Germany, Portugal. |
Motivation | Financial Gain |
Attack vectors | CACTUS ransomware uses known VPN vulnerabilities to gain access to its victims, which limits its pool of potential targets to those organizations using known vulnerable VPN appliances. |
Targeted systems | Windows |
Overview
CACTUS ransomware emerged in March 2023 as a malicious software strain. It derives its name from the ransom note it deposits on victims’ computers, labeled as cAcTuS.readme.txt. Additionally, the malware encrypts files, appending the .cts1 extension, with the numeric portion of the extension being variable.
Targets
CACTUS has primarily been observed to target large enterprises, which have the resources required to meet a large ransom request. Target Sectors: Manufacturing, Professional Services, Wholesale, Finance, Transportation.
How they operate
CACTUS ransomware typically exploits vulnerabilities within virtual private network (VPN) software to infiltrate target environments. Upon gaining entry, the malware establishes command and control (C2) communications via SSH, leveraging Scheduled Tasks for persistence across system reboots.
Having established a presence within the network, the malware conducts network scans to identify potential targets for infection, while also employing various methods to pilfer user credentials, including web browser data and LSASS dumping. These compromised credentials enable the malware to escalate privileges and propagate itself through remote devices.
Once entrenched, the malware employs msiexec to uninstall common antivirus software and employs encryption techniques to evade detection, distributing itself in an encrypted form that requires an AES key for unpacking. This tactic thwarts analysis efforts by researchers and sandboxes, hindering the understanding of its malicious capabilities.
CACTUS ransomware employs a double-extortion approach, encrypting data using RSA and AES algorithms while also attempting exfiltration, often utilizing Rclone to transfer stolen files to cloud storage. Following encryption and exfiltration, the malware issues ransom notes on the victim’s device, intensifying the extortion demands.
MITRE Techniques Used
Initial Access
Exploit Public-Facing Application (T1190)
Execution
Command and Scripting Interpreter (T1059)
Windows Management Instrumentation (T1047)
Shared Modules (T1129)
Software Deployment Tools (T1072)
Persistence
DLL Side-Loading (T1574.002)
Scheduled Task/Job (T1053)
Scheduled Task (T1053.005)
Create Account (T1136)
Privilege Escalation
Process Injection (T1055)
DLL Side-Loading (T1574.002)
Defense Evasion
Process Injection (T1055)
Obfuscated Files or Information (T1027)
Masquerading (T1036)
Virtualization/Sandbox Evasion (T1497)
Hidden Files and Directories (T1564.001)
DLL Side-Loading (T1574.002)
Impair Defenses (T1562)
Disable or Modify Tools (TT1562.001)
Obfuscated Files or Information (T1027)
Software Packing (T1027.002)
Credential Access
Input Capture (T1056)
Credentials from Password Stores (T1555)
Credentials from Web Browsers (T1555.003)
OS Credential Dumping (T1003)
Discovery
System Information Discovery (T1082)
Security Software Discovery (T1518.001)
Remote System Discovery (T1082)
Process Discovery (T1057)
File and Directory Discovery (T1083)
Virtualization/Sandbox Evasion (T1497)
System Network Connections Discovery (T1049)
Account Discovery (T1087)
Domain Account (T1087.002)
Lateral Movement
Remote Services (T1021)
Remote Services: Remote Desktop Protocol (T1021.001)
Lateral Tool Transfer (T1570)
Collection
Input Capture (T1056)
Automated Collection (T1119)
Command and Control
Application Layer Protocol (T1071)
Non-Application Layer Protocol (T1095)
Non-Standard Port (T1571)
Encrypted Channel (T1573)
Remote Access Software (T1219)
Proxy (T1090)
Exfiltration
Exfiltration Over Web Service (T1567)
Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
Impact
Data Encrypted for Impact (T1486)
Tools
Splashtop, AnyDesk, SuperOps RMM software, Cobalt Strike, Chisel.
Significant Malware Campaigns
- Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data. (January 2024)
