Cactus Ransomware Report

Cactus is a Ransomware-as-a-Service (RaaS) that has been active since at least March 2023. Cactus gains initial access to target networks by exploiting known vulnerabilities in Fortinet virtual private network (VPN) appliances. The malware encrypts itself to protect the ransomware binary, making it harder to detect and granting malware with the ability to evade antivirus and network monitoring tools.

According to Kroll researchers, Cactus’ binary must be decrypted prior to execution. To achieve this, Cactus passes an AES key to the file ‘ntuser.dat’, stored in the C:\ProgramData directory. In addition to the AES key, the ntuser.dat file contains other configuration data, including the path to the original executable and a base 64-encoded string passed with the -i command-line argument. The contents of the file are hidden among junk strings that are hexadecimal encoded and are further obfuscated by modifying the alignments of the characters.

During the set-up phase, Cactus also establishes persistence by creating a copy of its executable in the C: \ProgramData directory. The executable copy follows the naming convention {VictimID}.exe, where the VictimID is four sets of four randomly generated strings separated by hyphens. Cactus creates and executes a scheduled task to execute the ‘C:\ProgramData\{VictimID}.exe -r’ command. When Cactus’ ransomware executable is spawned, it kickstarts the decoding and decrypting process of the public RSA key. Once the public RSA key is obtained, multi -threaded encryption of victim files begins using an implementation of OpenSSL’s envelope encryption.

Cactus ransomware operators use multiple remote access methods, including legitimate remote monitoring and management (RMM) tools such as Splashtop, AnyDesk, and SuperOps, as well as Cobalt Strike and the Go-based proxy tool Chisel. Subsequent to target network compromise, Cactus ransomware operators establish a Secure Shell (SSH) backdoor to establish a command-and-control (C2) server and achieve persistence via scheduled tasks. The ransomware steals data from its victims and employs multiple remote access methods.

Impact

Successful exploitation by Cactus ransomware will almost certainly result in the encryption and exfiltration of significant quantities of data held on the compromised system, prior to a ransom of a predetermined value being issued. The ransom amount demanded will almost certainly depend on the estimated value of the compromised organisation. Furthermore, such a compromise of data will also result in the organisation incurring a negative reputational impact. Encrypted data may include private customer data, corporate finance data and system credentials that if released can assist threat actors with future attacks.

Incident Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats like that implemented by the Cactus ransomware. EDR solutions can alert system users of potential breaches and stop further progress before the malware can do significant damage.