The Stealthy CACTUS Ransomware Menace: Exploiting VPN Appliance Flaws and Targeting Large Corporations

Ransomware is a growing concern for companies of all sizes, and cybersecurity researchers have recently shed light on a new strain called CACTUS. This ransomware has been targeting large commercial entities since March 2021, and it has been observed to leverage known flaws in VPN appliances to gain initial access to targeted networks. Once inside, it employs double extortion tactics to steal sensitive data and demands payment in exchange for a decryption key.

Exploitation of vulnerable VPN devices sets the stage

CACTUS begins its attack by exploiting known vulnerabilities in VPN devices to set up an SSH backdoor. Once this initial access is established, the attacker executes a series of PowerShell commands to conduct network scanning and identify a list of machines to encrypt. These commands also allow the attacker to maintain persistent access to the network, making it more difficult for the victim to detect and remove the ransomware.

Using sophisticated tools for command and control

CACTUS also utilizes sophisticated tools for command and control, including the popular penetration testing framework Cobalt Strike and a tunneling tool referred to as Chisel. The ransomware authors also make use of Remote Monitoring and Management (RMM) software like AnyDesk, allowing them to remotely control the infected machines and monitor their progress.

A unique batch script evades detection

One unique aspect of CACTUS is the use of a batch script to extract the ransomware binary with 7-Zip. This process makes it harder to detect as the ransomware essentially encrypts itself, removing the .7z archive before executing the payload. This technique allows CACTUS to evade antivirus and network monitoring tools, making it more challenging for defenders to detect and remove.

Insights from cybersecurity experts

Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, commented on the unique features of CACTUS. She notes that the ransomware’s ability to encrypt itself makes it more challenging to detect, and that this demonstrates the importance of continual adaptation by cybersecurity professionals to keep up with evolving threats.

Comparison to other ransomware families

The emergence of CACTUS comes just days after Trend Micro shed light on another type of ransomware known as Rapture. This new ransomware shares some similarities with other families, such as Paradise. The use of vulnerable public-facing websites and servers is a common tactic for ransomware authors looking to gain access to corporate networks. This makes it essential for organizations to keep their systems up-to-date and enforce the principle of least privilege (PoLP).

The rising trend of new ransomware families

CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks. Other examples include Gazprom, BlackBit, UNIZA, Akira, and a NoCry ransomware variant called Kadavro Vector. This trend demonstrates the continued evolution of ransomware as a significant threat to organizations worldwide.

The emergence of CACTUS and other new ransomware families highlights the critical need for organizations to stay vigilant and proactive in their approach to cybersecurity. Companies must prioritize continuous monitoring of their systems, implement regular patching and updates, and enforce the Principle of Least Privilege (PoLP) to limit the impact of ransomware attacks. As ransomware authors continue to develop new tactics and tools, it is essential for defenders to remain one step ahead and continuously adapt their strategies to keep pace with evolving threats.

Explore more

Autonomous AI Agents Risk Silent Remote Code Execution

The digital equivalent of a Trojan Horse has evolved from a simple static file into a self-executing autonomous agent that can dismantle enterprise security from the inside out while its human operators watch in silent approval. This shift represents a fundamental change in the threat landscape, where the primary risk is no longer just a malicious piece of software, but

How Does GodDamn Ransomware Evade Endpoint Protection?

The sudden emergence of the GodDamn ransomware variant has forced cybersecurity professionals to reconsider the fundamental efficacy of traditional endpoint detection and response tools that currently dominate the global market. While many legacy systems rely on signature-based detection or predictable behavioral heuristics, this specific threat utilizes a polymorphic engine that rewrites its own core instructions every time it executes on

Microsoft Warns AI Will Increase Windows Security Updates

Dominic Jainy is an acclaimed IT professional who operates at the cutting edge of artificial intelligence, machine learning, and blockchain technology. With deep experience in securing complex digital environments, he has a unique perspective on how automated tools are reshaping the traditional boundaries of software development and vulnerability management. As major tech leaders like Microsoft pivot toward AI-driven security analysis

Can Chinese DDR5 Memory Outperform Industry Giants?

Dominic Jainy is a seasoned IT professional whose career has been defined by a deep fascination with the intersection of high-performance hardware and emerging technologies like artificial intelligence and blockchain. With years spent analyzing how machine learning workloads strain traditional memory architectures, he brings a unique perspective to the current shifts in the global semiconductor landscape. As the “Big Three”

EDI Integration Streamlines Dynamics 365 for Manufacturing

The global manufacturing landscape in 2026 demands a level of operational synchronization that renders manual data entry not only obsolete but actively dangerous to a company’s long-term financial stability. While modern Application Programming Interfaces (APIs) receive the bulk of attention in technology circles, the industrial world remains firmly anchored in Electronic Data Interchange (EDI) due to the massive infrastructure investments