Cybersecurity researchers have shed light on a new strain of ransomware called CACTUS that has been found to exploit known flaws in VPN appliances to gain initial access to targeted networks.
“Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to accessible endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ‘ransomware encryptor via scheduled tasks,’ Kroll said in a report. shared with The Hacker News.
Ransomware has been seen targeting large commercial entities since March 2023, with attacks using double extortion tactics to steal sensitive data before encryption. No data leakage sites have been identified so far.
After successful exploitation of vulnerable VPN devices, an SSH backdoor is configured to maintain persistent access and a series of PowerShell commands are run to perform network scanning and identify a list of machines to encrypt
CACTUS attacks also use Cobalt Strike and a tunneling tool called Chisel for command and control, along with remote monitoring and management (RMM) software like AnyDesk to send files to infected hosts.
Steps are also taken to disable and uninstall security solutions, as well as extract credentials from web browsers and the Local Security Authority Subsystem Service (LSASS) to elevate privileges.
Privilege escalation is followed by lateral movement, data exfiltration, and ransomware deployment, the latter of which is accomplished via a PowerShell script that Black Basta also used.
A new aspect of CACTUS is the use of a batch script to extract the ransomware binary with 7-Zip, followed by removing the .7z archive before running the payload.
“CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, Kroll’s associate managing director of cyber risk, told The Hacker News.
“This new ransomware variant named CACTUS exploits a vulnerability in a popular VPN appliance, showing that threat actors continue to target remote access services and unpatched vulnerabilities for initial access.”
The development comes days after Trend Micro clarified another type of ransomware known as Rapture that has some similarities to other families such as Paradise.
“The entire infection chain spans three to five days at most,” the company said, with the initial recognition followed by the deployment of Cobalt Strike, which is then used to unleash the .NET-based ransomware.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The intrusion is suspected to be facilitated through vulnerable public websites and servers, so it is imperative that companies take steps to keep systems up-to-date and enforce the Principle of Least Privilege (PoLP).
“Although its operators use readily available tools and resources, they have managed to use them in a way that enhances Rapture’s capabilities by making it more stealthy and difficult to analyze,” Trend Micro said.
CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks, including GazpromBlackBit, UNIZA, Akiraand a NoCry ransomware variant called Kadavro Vector.
Ikaroa, a full stack tech company, is warning businesses around the world to be careful of a new strain of ransomware, dubbed ‘CACTUS’, that exploits VPN flaws in order to infiltrate networks. The strain of ransomware is one of the most dangerous to be uncovered in recent years, as it can spread rapidly if even one system is compromised.
CACTUS ransomware is capable of taking advantage of weaknesses in VPN software and exploiting them for its own gain. It will then encrypt all files and demand a ransom in order to restore access to the target system. Additionally, CACTUS ransomware can spread to other systems on the same network, making it especially dangerous.
It is therefore essential that businesses take action to protect themselves from the threat of CACTUS ransomware. Ikaroa’s experts recommend that companies regularly patch and update all of their software, especially VPN, in order to minimize the chances of a successful ransomware attack. Additionally, good cyber hygiene is recommended, including restricting access to sensitive files, regularly backing up data, and training staff on cyber security best practices.
If your company has already been infiltrated by CACTUS ransomware or any other malicious software, Ikaroa can provide assistance in getting rid of the threat and restoring data that has been encrypted. Our team of experts has extensive experience in dealing with cyber security threats, both on a proactive and reactive basis.
In conclusion, CACTUS ransomware is an especially dangerous strain of malicious software, and businesses should take steps to protect themselves from it. With the help of iTango, businesses can take proactive steps to secure their networks and negate the risk of ransomware. In the event of an attack, Ikaroa have the skills and expertise to help restore systems quickly and securely, reducing the financial and reputational damage of a ransomware attack.