Cactus (Ransomware) – Malware

Overview

CACTUS ransomware emerged in March 2023 as a malicious software strain. It derives its name from the ransom note it deposits on victims’ computers, labeled as cAcTuS.readme.txt. Additionally, the malware encrypts files, appending the .cts1 extension, with the numeric portion of the extension being variable.

Targets

CACTUS has primarily been observed to target large enterprises, which have the resources required to meet a large ransom request. Target Sectors: Manufacturing, Professional Services, Wholesale, Finance, Transportation.

How they operate

CACTUS ransomware typically exploits vulnerabilities within virtual private network (VPN) software to infiltrate target environments. Upon gaining entry, the malware establishes command and control (C2) communications via SSH, leveraging Scheduled Tasks for persistence across system reboots. Having established a presence within the network, the malware conducts network scans to identify potential targets for infection, while also employing various methods to pilfer user credentials, including web browser data and LSASS dumping. These compromised credentials enable the malware to escalate privileges and propagate itself through remote devices. Once entrenched, the malware employs msiexec to uninstall common antivirus software and employs encryption techniques to evade detection, distributing itself in an encrypted form that requires an AES key for unpacking. This tactic thwarts analysis efforts by researchers and sandboxes, hindering the understanding of its malicious capabilities. CACTUS ransomware employs a double-extortion approach, encrypting data using RSA and AES algorithms while also attempting exfiltration, often utilizing Rclone to transfer stolen files to cloud storage. Following encryption and exfiltration, the malware issues ransom notes on the victim’s device, intensifying the extortion demands.

MITRE Techniques Used

Initial Access Exploit Public-Facing Application (T1190) Execution Command and Scripting Interpreter (T1059) Windows Management Instrumentation (T1047) Shared Modules (T1129) Software Deployment Tools (T1072) Persistence DLL Side-Loading (T1574.002) Scheduled Task/Job (T1053) Scheduled Task (T1053.005) Create Account (T1136) Privilege Escalation Process Injection (T1055) DLL Side-Loading (T1574.002) Defense Evasion Process Injection (T1055) Obfuscated Files or Information (T1027) Masquerading (T1036) Virtualization/Sandbox Evasion (T1497) Hidden Files and Directories (T1564.001) DLL Side-Loading (T1574.002) Impair Defenses (T1562) Disable or Modify Tools (TT1562.001) Obfuscated Files or Information (T1027) Software Packing (T1027.002) Credential Access Input Capture (T1056) Credentials from Password Stores (T1555) Credentials from Web Browsers (T1555.003) OS Credential Dumping (T1003) Discovery System Information Discovery (T1082) Security Software Discovery (T1518.001) Remote System Discovery (T1082) Process Discovery (T1057) File and Directory Discovery (T1083) Virtualization/Sandbox Evasion (T1497) System Network Connections Discovery (T1049) Account Discovery (T1087) Domain Account (T1087.002) Lateral Movement Remote Services (T1021) Remote Services: Remote Desktop Protocol (T1021.001) Lateral Tool Transfer (T1570) Collection Input Capture (T1056) Automated Collection (T1119) Command and Control Application Layer Protocol (T1071) Non-Application Layer Protocol (T1095) Non-Standard Port (T1571) Encrypted Channel (T1573) Remote Access Software (T1219) Proxy (T1090) Exfiltration Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Impact Data Encrypted for Impact (T1486)

Tools

Splashtop, AnyDesk, SuperOps RMM software, Cobalt Strike, Chisel.

Significant Malware Campaigns

• Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data. (January 2024)

References:

• Energy giant Schneider Electric hit by Cactus ransomware attack
• How Does CACTUS Ransomware Work?
• Cactus Ransomware