Cactus Ransomware: A Thorny New Threat on the Horizon

by Cyborg Security on May 16, 2023

What is Cactus Ransomware?

Unleashing a prickly assault on the cyber landscape, the recently discovered Cactus Ransomware has been actively wreaking havoc since March 2023. Its unique moniker, “Cactus”, is derived from the filename linked to the ransom note it leaves in its wake. With a distinctive ability to encrypt itself, Cactus cleverly evades detection, setting it apart from other ransomware variants. Its primary targets? Commercial institutions, where it exploits vulnerabilities in Fortinet VPN appliances to gain initial access and demands sizable ransom payouts. As Cactus continues to evolve and potentially proliferates worldwide, understanding and preparing for this elusive threat is more crucial than ever.

Campaign Summary

Capitalizing on the vulnerabilities of Fortinet VPN appliances, Cactus Ransomware successfully breaches initial security barriers. The cunning operators behind this campaign have been predominantly zeroing in on commercial institutions, with a clear financial motivation fueling their actions. This recent, yet potent variant has been displaying its tenacity since its debut in March 2023, marking a new chapter in the cyber threat narrative.

Technical Details of the Attack

Cactus Ransomware’s modus operandi is as intriguing as it is destructive. Once it infiltrates a network through a VPN service account, the attack unfolds with a systematic approach. Reconnaissance begins with domain and endpoint enumeration, while a persistent SSH backdoor is established. The attackers cunningly exploit legitimate remote access tools like AnyDesk, Splashtop, and SuperOps RMM, as well as Cobalt Strike and Chisel, to cloak their communication with C2 servers.

As they consolidate their grip on the network, the attackers uninstall anti-virus software using msiexec.exe and extract the necessary credentials via web browser and LSASS credential dumping. The double extortion tactics involve exfiltrating sensitive data via tools that transfer files to cloud storage solutions, like Rclone.

The innovative self-encryption characteristic of Cactus adds another layer of complexity to its attacks. It uses a script called “TotalExec.ps1” and PsExec to automate the setup of its deployment, which involves setting up an admin user account and extracting the ransomware payload. During encryption, Cactus employs OpenSSL’s envelope implementation to encrypt victims’ files with AES and RSA, appending the files with the extension “cts\d”. A ransom note, aptly named “cAcTuS.readme.txt”, provides negotiation instructions.