Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Cactus (Ransomware) – Malware

April 19, 2024
Reading Time: 53 mins read
in Malware
Cactus (Ransomware) – Malware

Cactus

Type of Malware

Ransomware

Country of Origin

Unknown

Date of initial activity

2023

Associated Groups

Cactus Ransomware Group

Targeted Countries

The U.S., The U.K., Canada, Australia, France, Italy, Switzerland, Germany, Portugal.

Motivation

Financial Gain

Attack vectors

CACTUS ransomware uses known VPN vulnerabilities to gain access to its victims, which limits its pool of potential targets to those organizations using known vulnerable VPN appliances.

Targeted systems

Windows

Overview

CACTUS ransomware emerged in March 2023 as a malicious software strain. It derives its name from the ransom note it deposits on victims’ computers, labeled as cAcTuS.readme.txt. Additionally, the malware encrypts files, appending the .cts1 extension, with the numeric portion of the extension being variable.

Targets

CACTUS has primarily been observed to target large enterprises, which have the resources required to meet a large ransom request. Target Sectors: Manufacturing, Professional Services, Wholesale, Finance, Transportation.

How they operate

CACTUS ransomware typically exploits vulnerabilities within virtual private network (VPN) software to infiltrate target environments. Upon gaining entry, the malware establishes command and control (C2) communications via SSH, leveraging Scheduled Tasks for persistence across system reboots. Having established a presence within the network, the malware conducts network scans to identify potential targets for infection, while also employing various methods to pilfer user credentials, including web browser data and LSASS dumping. These compromised credentials enable the malware to escalate privileges and propagate itself through remote devices. Once entrenched, the malware employs msiexec to uninstall common antivirus software and employs encryption techniques to evade detection, distributing itself in an encrypted form that requires an AES key for unpacking. This tactic thwarts analysis efforts by researchers and sandboxes, hindering the understanding of its malicious capabilities. CACTUS ransomware employs a double-extortion approach, encrypting data using RSA and AES algorithms while also attempting exfiltration, often utilizing Rclone to transfer stolen files to cloud storage. Following encryption and exfiltration, the malware issues ransom notes on the victim’s device, intensifying the extortion demands.

MITRE Techniques Used

Initial Access Exploit Public-Facing Application (T1190) Execution Command and Scripting Interpreter (T1059) Windows Management Instrumentation (T1047) Shared Modules (T1129) Software Deployment Tools (T1072) Persistence DLL Side-Loading (T1574.002) Scheduled Task/Job (T1053) Scheduled Task (T1053.005) Create Account (T1136) Privilege Escalation Process Injection (T1055) DLL Side-Loading (T1574.002) Defense Evasion Process Injection (T1055) Obfuscated Files or Information (T1027) Masquerading (T1036) Virtualization/Sandbox Evasion (T1497) Hidden Files and Directories (T1564.001) DLL Side-Loading (T1574.002) Impair Defenses (T1562) Disable or Modify Tools (TT1562.001) Obfuscated Files or Information (T1027) Software Packing (T1027.002) Credential Access Input Capture (T1056) Credentials from Password Stores (T1555) Credentials from Web Browsers (T1555.003) OS Credential Dumping (T1003) Discovery System Information Discovery (T1082) Security Software Discovery (T1518.001) Remote System Discovery (T1082) Process Discovery (T1057) File and Directory Discovery (T1083) Virtualization/Sandbox Evasion (T1497) System Network Connections Discovery (T1049) Account Discovery (T1087) Domain Account (T1087.002) Lateral Movement Remote Services (T1021) Remote Services: Remote Desktop Protocol (T1021.001) Lateral Tool Transfer (T1570) Collection Input Capture (T1056) Automated Collection (T1119) Command and Control Application Layer Protocol (T1071) Non-Application Layer Protocol (T1095) Non-Standard Port (T1571) Encrypted Channel (T1573) Remote Access Software (T1219) Proxy (T1090) Exfiltration Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Impact Data Encrypted for Impact (T1486)

Tools

Splashtop, AnyDesk, SuperOps RMM software, Cobalt Strike, Chisel.

Significant Malware Campaigns

  • Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data. (January 2024)
References:
  • Energy giant Schneider Electric hit by Cactus ransomware attack
  • How Does CACTUS Ransomware Work?
  • Cactus Ransomware
Tags: CactusFinanceMalwaremanufacturingRansomwareTransportationVPN
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial