Chris Swagler | May 9th, 2023

Cactus, a new ransomware operation, has been using vulnerabilities in VPN appliances to get initial access to networks of enterprise organizations. Cactus ransomware has been operating since at least March, and it’s aiming for large payouts from victims. Even though the threat actor used the standard ransomware tactics of file encryption and data theft, it added its own twist to avoid detection. 

According to corporate investigation and risk consulting company researchers, Cactus is believed to gain initial access to victims’ networks by exploiting known vulnerabilities in Fortinet VPN appliances. The assessment is based on the observation that the threat operator pivoted inside from a VPN server using a VPN service account in all incidents investigated. Using encryption to secure the ransomware binary distinguishes Cactus from other operations. The threat actor retrieves the encryption binary by using 7-Zip and a batch script. The original ZIP archive is discarded, and the binary is delivered with an execution flag. The entire procedure is uncommon, and the researchers believe it’s done to avoid the ransomware encryptor being detected.

The investigators indicated in a technical report that there are three significant modes of execution, each of which is selected with a distinct command line switch: setup (-s), read configuration (-r), and encryption (-i). The -s and -r arguments enable threat actors to configure persistence and save data in a C:\ProgramData\ntuser.dat file, which is later read by the encryptor when the -r command line argument is used. However, a unique AES key known only to the threat operators must be supplied using the -I command line argument for file encryption to be enabled. The key is required to decrypt the ransomware’s configuration file, and a public RSA key is needed to encrypt files. It’s hardcoded in the encryptor binary as a HEX string. CACTUS encrypts itself, making detecting and assisting in evading antivirus and network monitoring tools difficult. When the binary runs with the correct key for the -I (encryption) parameter, the information is unlocked, allowing the malware to search for files and begin a multi-thread encryption operation.

A ransomware expert examined how Cactus encrypted data and explained how the malware utilizes numerous extensions for its target files, depending on the processing status. Cactus converts the file extension to “.CTS0” when preparing the file for encryption, and the extension becomes CTS1 after the encryption. However, Cactus contains a “quick mode,” which is like a light encryption pass. When the malware runs in quick and normal mode simultaneously, it encrypts the same file twice and appends a new extension after each process. The number at the end of the.CTS extension changed between several Cactus ransomware incidents.

Once within the network, threat actors used a scheduled task to gain persistent access through an SSH backdoor accessible using the command and control (C2) server. According to investigators, Cactus used SoftPerfect Network Scanner (netscan) to hunt for intriguing targets on networks. Threat operators utilized PowerShell commands to enumerate endpoints, identify user accounts by observing successful logins in Windows Event Viewer, and ping remote hosts for deeper reconnaissance. Additionally, researchers explain that the Cactus ransomware employed a customized variant of the open-source PSnmap Tool, a PowerShell equivalent of the Nmap network scanner. The investigators said that Cactus ransomware tries different remote access methods using legitimate tools, including Splashtop, AnyDesk, SuperOps RMM, Cobalt Strike, and the Go-based proxy tool Chisel, to launch various tools required for the attack. Cactus operators run a batch script to uninstall the most used antivirus software after escalating machine privileges.

Like most ransomware operations, Cactus steals data from victims, and threat actors transfer files directly to cloud storage using the Rclone tool. Following data exfiltration, threat operators utilized a PowerShell script named TotalExec, commonly observed in BlackBasta ransomware operations, to automate the encryption process. The encryption routine in Cactus ransomware attacks is unique. It doesn’t appear exclusive to Cactus because the BlackBasta ransomware group has recently adopted a similar encryption approach. There is no public information on the ransoms Cactus demands from its victims. However, a source explained that they’re in the millions. Even if threat operators steal victims’ data, it doesn’t appear they’re in the millions.

Even if threat operators steal data from victims, it doesn’t appear they’ve set up a leak site, as other ransomware operations engaged in double-extortion have. Threat actors threaten to publish the victims’ stolen files unless they pay. Extensive information on the Cactus operation, the victims they target, and if threat operators will keep their promise and supply a reliable decryptor if paid are not yet available. What’s evident is that the threat operators’ invasions have most likely exploited vulnerabilities in the Fortinet VPN appliance and followed the standard double-extortion strategy of stealing data before encrypting it. Using the most recent vendor software updates, monitoring the networks for massive data exfiltration processes, and responding fast should defend against the final and most severe stages of ransomware attacks.

With new and current ransomware groups using new tactics, techniques, and procedures in their cyberattacks to avoid antivirus software, it becomes critical for companies to stay ahead of the latest threat landscape and regularly update their antivirus software. SpearTip engages with companies’ people, processes, and technology to measure the security environment’s maturity. SpearTip’s extensive experience gained through responding to tens of thousands of security incidents and our consulting team’s expertise in researching the most modern security practices will improve companies’ operational, procedural, and technical control gaps based on security standards. Our assessments leave no stone unturned in examining how companies leverage their current technology. We review application and operating system access controls and analyze physical access to their systems. We conclude with detailed reports and recommendations to keep companies compliant and safe according to industry standards. 43% of data breaches involve attacks against web applications. Companies can protect themselves from breaches originating through web applications with our comprehensive assessments.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.