Analysis
The Cactus ransomware operation has been utilising known flaws in VPN hardware to get early access to the networks of well-known companies since at least March 2023. After utilising a batch script to obtain the encryptor binary using 7-Zip, the actor installs it with a specific parameter that allows it to execute. File encryption is only feasible if a specific AES key, known only to the attackers, is supplied through the -i command-line flag. The threat actor steals data from the victim's network and makes a demand for ransom before threatening to reveal the information. Cactus modifies the free PSnmap Tool to execute the various attack-related applications while scanning the network for interesting targets using the SoftPerfect Network Scanner (netscan).
Additionally, the ransomware uses the Rclone programme to immediately transfer files to cloud storage while grabbing data from the victim's network. In order to secure itself, the ransomware file is encrypted, which sets Cactus apart from other programmes and makes it more challenging to detect and prevent using network monitoring and antivirus software.
Prevention
- Updating your VPN hardware is a good idea: Fortinet VPN equipment have been found to be vulnerable to the Cactus ransomware. Make sure all security patches have been installed and that your VPN is running on the most recent version.
- Use secure passwords: The Cactus ransomware uses VPN server accounts to gain early access to target networks. Therefore, it is crucial to choose secure passwords that are difficult to guess and are strong and unique.
- Multi-factor authentication (MFA) should be used: MFA for VPN accounts should be enabled for further protection.
- Use antivirus software: To help detect and stop any dangerous software, install antivirus software and keep it updated.
- Educate your staff: Your staff should receive training on how to recognise shady emails, attachments, and URLs. Encourage them to promptly report any odd activity.
- Data backups should be done on a regular basis: Store any crucial files and data on an external device or in the cloud. Make sure backups are safe, encrypted, and not directly connected to the network.
- Restrict access: Give only those who need it to complete their jobs access to sensitive data and systems. To stop unauthorised access, use role-based access control (RBAC).
Detection
- Files will be encrypted by the Cactus ransomware, which will also add a special extension to the encrypted files.
- Each place where Cactus ransomware encrypts data generates a ransom letter. Typically, the message provides details on how to get the decryption key and pay the ransom.
- Unusual network activity: Network traffic monitoring can be used to identify Cactus ransomware communications with its command and control (C&C) server.
- suspicious processes: To carry out its destructive operations, the ransomware may start up brand-new processes or inject malware into already-running ones. The malware might be found by keeping an eye out for any strange process activity on the system.
- Cactus ransomware has the ability to change system settings, such as turning off security software or altering firewall rules. Monitoring system logs or utilising security software that issues alarms when such modifications occur can be used to find these changes.
Indicators of Compromise (IOCs)
- Files having a ".CACTUSTEAM" suffix that are encrypted.
- A desktop wallpaper or "Readme.txt" file with a ransom note that details how to pay the ransom.
- The existence of suspicious files on the system, such as "xmr.exe," "b.bat," "r.bat," or "settings.ini."
- Modifications to the Windows registry, such as the addition of new keys or deletion of old ones.
- Communication between known C&C (Command and Control) servers.
- Unusual surges in CPU or network consumption.
References
Bleeping computer