The Stealthy CACTUS Ransomware Menace: Exploiting VPN Appliance Flaws and Targeting Large Corporations

Ransomware is a growing concern for companies of all sizes, and cybersecurity researchers have recently shed light on a new strain called CACTUS. This ransomware has been targeting large commercial entities since March 2021, and it has been observed to leverage known flaws in VPN appliances to gain initial access to targeted networks. Once inside, it employs double extortion tactics to steal sensitive data and demands payment in exchange for a decryption key.

Exploitation of vulnerable VPN devices sets the stage

CACTUS begins its attack by exploiting known vulnerabilities in VPN devices to set up an SSH backdoor. Once this initial access is established, the attacker executes a series of PowerShell commands to conduct network scanning and identify a list of machines to encrypt. These commands also allow the attacker to maintain persistent access to the network, making it more difficult for the victim to detect and remove the ransomware.

Using sophisticated tools for command and control

CACTUS also utilizes sophisticated tools for command and control, including the popular penetration testing framework Cobalt Strike and a tunneling tool referred to as Chisel. The ransomware authors also make use of Remote Monitoring and Management (RMM) software like AnyDesk, allowing them to remotely control the infected machines and monitor their progress.

A unique batch script evades detection

One unique aspect of CACTUS is the use of a batch script to extract the ransomware binary with 7-Zip. This process makes it harder to detect as the ransomware essentially encrypts itself, removing the .7z archive before executing the payload. This technique allows CACTUS to evade antivirus and network monitoring tools, making it more challenging for defenders to detect and remove.

Insights from cybersecurity experts

Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, commented on the unique features of CACTUS. She notes that the ransomware’s ability to encrypt itself makes it more challenging to detect, and that this demonstrates the importance of continual adaptation by cybersecurity professionals to keep up with evolving threats.

Comparison to other ransomware families

The emergence of CACTUS comes just days after Trend Micro shed light on another type of ransomware known as Rapture. This new ransomware shares some similarities with other families, such as Paradise. The use of vulnerable public-facing websites and servers is a common tactic for ransomware authors looking to gain access to corporate networks. This makes it essential for organizations to keep their systems up-to-date and enforce the principle of least privilege (PoLP).

The rising trend of new ransomware families

CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks. Other examples include Gazprom, BlackBit, UNIZA, Akira, and a NoCry ransomware variant called Kadavro Vector. This trend demonstrates the continued evolution of ransomware as a significant threat to organizations worldwide.

The emergence of CACTUS and other new ransomware families highlights the critical need for organizations to stay vigilant and proactive in their approach to cybersecurity. Companies must prioritize continuous monitoring of their systems, implement regular patching and updates, and enforce the Principle of Least Privilege (PoLP) to limit the impact of ransomware attacks. As ransomware authors continue to develop new tactics and tools, it is essential for defenders to remain one step ahead and continuously adapt their strategies to keep pace with evolving threats.

Explore more

Compliance Drives Regulated B2B Influencer Marketing in 2026

The shifting landscape of digital authority has fundamentally transformed how enterprise-level organizations engage with industry experts and thought leaders across global markets. As the professional world moves deeper into this period of technological saturation, the superficial tactics of the past have been replaced by a rigorous commitment to transparency and legal precision. In earlier years, the simple inclusion of a

Transforming Voice of the Customer Into Predictive Action

Corporate boardrooms often overflow with real-time dashboards and complex analytics, yet many organizations still find themselves blindsided by sudden shifts in customer loyalty and market demand. While the technology to capture feedback has become ubiquitous, the structural ability to interpret and act upon that data in a meaningful timeframe remains remarkably rare for the average enterprise. Most traditional systems are

How Will Databricks CustomerLake Redefine Agentic Marketing?

The ongoing evolution of the digital landscape has forced a radical reconsideration of how enterprises capture, process, and ultimately utilize the vast oceans of consumer data generated every second of the day. Modern marketing departments have long struggled with the paradox of having too much information but not enough actionable insight to drive meaningful consumer interactions in real time. The

How Can Small Banks Compete With Global Financial Giants?

Nikolai Braiden has seen the evolution of financial architecture from its early blockchain roots to the current wave of institutional modernization, and today he joins us to dissect a pivotal shift in venture capital. With BankTech Ventures recently deploying $15 million into AI and stablecoin solutions, the landscape for regional banking is undergoing a profound transformation. Braiden’s perspective as an

Bullski Presale Tops the List of Best Meme Coins for 2026

The current cryptocurrency market in 2026 has transitioned into a highly sophisticated arena where institutional standards and community-driven viral momentum converge to create unique financial opportunities. Investors are no longer satisfied with speculative assets lacking fundamental safeguards, leading to a significant shift toward projects that prioritize technical transparency and structured growth. In this evolving landscape, the Bullski presale has emerged