The Stealthy CACTUS Ransomware Menace: Exploiting VPN Appliance Flaws and Targeting Large Corporations

Ransomware is a growing concern for companies of all sizes, and cybersecurity researchers have recently shed light on a new strain called CACTUS. This ransomware has been targeting large commercial entities since March 2021, and it has been observed to leverage known flaws in VPN appliances to gain initial access to targeted networks. Once inside, it employs double extortion tactics to steal sensitive data and demands payment in exchange for a decryption key.

Exploitation of vulnerable VPN devices sets the stage

CACTUS begins its attack by exploiting known vulnerabilities in VPN devices to set up an SSH backdoor. Once this initial access is established, the attacker executes a series of PowerShell commands to conduct network scanning and identify a list of machines to encrypt. These commands also allow the attacker to maintain persistent access to the network, making it more difficult for the victim to detect and remove the ransomware.

Using sophisticated tools for command and control

CACTUS also utilizes sophisticated tools for command and control, including the popular penetration testing framework Cobalt Strike and a tunneling tool referred to as Chisel. The ransomware authors also make use of Remote Monitoring and Management (RMM) software like AnyDesk, allowing them to remotely control the infected machines and monitor their progress.

A unique batch script evades detection

One unique aspect of CACTUS is the use of a batch script to extract the ransomware binary with 7-Zip. This process makes it harder to detect as the ransomware essentially encrypts itself, removing the .7z archive before executing the payload. This technique allows CACTUS to evade antivirus and network monitoring tools, making it more challenging for defenders to detect and remove.

Insights from cybersecurity experts

Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, commented on the unique features of CACTUS. She notes that the ransomware’s ability to encrypt itself makes it more challenging to detect, and that this demonstrates the importance of continual adaptation by cybersecurity professionals to keep up with evolving threats.

Comparison to other ransomware families

The emergence of CACTUS comes just days after Trend Micro shed light on another type of ransomware known as Rapture. This new ransomware shares some similarities with other families, such as Paradise. The use of vulnerable public-facing websites and servers is a common tactic for ransomware authors looking to gain access to corporate networks. This makes it essential for organizations to keep their systems up-to-date and enforce the principle of least privilege (PoLP).

The rising trend of new ransomware families

CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks. Other examples include Gazprom, BlackBit, UNIZA, Akira, and a NoCry ransomware variant called Kadavro Vector. This trend demonstrates the continued evolution of ransomware as a significant threat to organizations worldwide.

The emergence of CACTUS and other new ransomware families highlights the critical need for organizations to stay vigilant and proactive in their approach to cybersecurity. Companies must prioritize continuous monitoring of their systems, implement regular patching and updates, and enforce the Principle of Least Privilege (PoLP) to limit the impact of ransomware attacks. As ransomware authors continue to develop new tactics and tools, it is essential for defenders to remain one step ahead and continuously adapt their strategies to keep pace with evolving threats.

Explore more

Why Should Leaders Invest in Employee Career Growth?

In today’s fast-paced business landscape, a staggering statistic reveals the stakes of neglecting employee development: turnover costs the median S&P 500 company $480 million annually due to talent loss, underscoring a critical challenge for leaders. This immense financial burden highlights the urgent need to retain skilled individuals and maintain a competitive edge through strategic initiatives. Employee career growth, often overlooked

Making Time for Questions to Boost Workplace Curiosity

Introduction to Fostering Inquiry at Work Imagine a bustling office where deadlines loom large, meetings are packed with agendas, and every minute counts—yet no one dares to ask a clarifying question for fear of derailing the schedule. This scenario is all too common in modern workplaces, where the pressure to perform often overshadows the need for curiosity. Fostering an environment

Embedded Finance: From SaaS Promise to SME Practice

Imagine a small business owner managing daily operations through a single software platform, seamlessly handling not just inventory or customer relations but also payments, loans, and business accounts without ever stepping into a bank. This is the transformative vision of embedded finance, a trend that integrates financial services directly into vertical Software-as-a-Service (SaaS) platforms, turning them into indispensable tools for

DevOps Tools: Gateways to Major Cyberattacks Exposed

In the rapidly evolving digital ecosystem, DevOps tools have emerged as indispensable assets for organizations aiming to streamline software development and IT operations with unmatched efficiency, making them critical to modern business success. Platforms like GitHub, Jira, and Confluence enable seamless collaboration, allowing teams to manage code, track projects, and document workflows at an accelerated pace. However, this very integration

Trend Analysis: Agentic DevOps in Digital Transformation

In an era where digital transformation remains a critical yet elusive goal for countless enterprises, the frustration of stalled progress is palpable— over 70% of initiatives fail to meet expectations, costing billions annually in wasted resources and missed opportunities. This staggering reality underscores a persistent struggle to modernize IT infrastructure amid soaring costs and sluggish timelines. As companies grapple with