The Stealthy CACTUS Ransomware Menace: Exploiting VPN Appliance Flaws and Targeting Large Corporations

Ransomware is a growing concern for companies of all sizes, and cybersecurity researchers have recently shed light on a new strain called CACTUS. This ransomware has been targeting large commercial entities since March 2021, and it has been observed to leverage known flaws in VPN appliances to gain initial access to targeted networks. Once inside, it employs double extortion tactics to steal sensitive data and demands payment in exchange for a decryption key.

Exploitation of vulnerable VPN devices sets the stage

CACTUS begins its attack by exploiting known vulnerabilities in VPN devices to set up an SSH backdoor. Once this initial access is established, the attacker executes a series of PowerShell commands to conduct network scanning and identify a list of machines to encrypt. These commands also allow the attacker to maintain persistent access to the network, making it more difficult for the victim to detect and remove the ransomware.

Using sophisticated tools for command and control

CACTUS also utilizes sophisticated tools for command and control, including the popular penetration testing framework Cobalt Strike and a tunneling tool referred to as Chisel. The ransomware authors also make use of Remote Monitoring and Management (RMM) software like AnyDesk, allowing them to remotely control the infected machines and monitor their progress.

A unique batch script evades detection

One unique aspect of CACTUS is the use of a batch script to extract the ransomware binary with 7-Zip. This process makes it harder to detect as the ransomware essentially encrypts itself, removing the .7z archive before executing the payload. This technique allows CACTUS to evade antivirus and network monitoring tools, making it more challenging for defenders to detect and remove.

Insights from cybersecurity experts

Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, commented on the unique features of CACTUS. She notes that the ransomware’s ability to encrypt itself makes it more challenging to detect, and that this demonstrates the importance of continual adaptation by cybersecurity professionals to keep up with evolving threats.

Comparison to other ransomware families

The emergence of CACTUS comes just days after Trend Micro shed light on another type of ransomware known as Rapture. This new ransomware shares some similarities with other families, such as Paradise. The use of vulnerable public-facing websites and servers is a common tactic for ransomware authors looking to gain access to corporate networks. This makes it essential for organizations to keep their systems up-to-date and enforce the principle of least privilege (PoLP).

The rising trend of new ransomware families

CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks. Other examples include Gazprom, BlackBit, UNIZA, Akira, and a NoCry ransomware variant called Kadavro Vector. This trend demonstrates the continued evolution of ransomware as a significant threat to organizations worldwide.

The emergence of CACTUS and other new ransomware families highlights the critical need for organizations to stay vigilant and proactive in their approach to cybersecurity. Companies must prioritize continuous monitoring of their systems, implement regular patching and updates, and enforce the Principle of Least Privilege (PoLP) to limit the impact of ransomware attacks. As ransomware authors continue to develop new tactics and tools, it is essential for defenders to remain one step ahead and continuously adapt their strategies to keep pace with evolving threats.

Explore more

Visa Launches SDK to Expand Digital Payments Across Africa

A local street vendor in Accra or a tech-savvy freelancer in Dar es Salaam often finds that having a mobile wallet is not enough to participate in the lucrative global digital economy. While local transfers have flourished, the inability to access international marketplaces creates a glass ceiling for millions of ambitious African entrepreneurs and consumers. The launch of the Visa

Uzbekistan Rapidly Transforms Its Digital Financial Sector

A traveler walking through the bustling Chorsu Bazaar in Tashkent today would likely witness a scene that would have been unrecognizable only a few years ago: vendors who once strictly dealt in stacks of som notes now effortlessly accept instant QR code payments on their mobile devices. This micro-level shift at a local market stall reflects a macro-level upheaval within

How Remote Work and AI Are Eroding Entry-Level Hiring

The traditional expectation that a university degree serves as a guaranteed entry point into a stable professional trajectory has collided with a harsh new economic reality where early-career opportunities are rapidly evaporating. While the labor market has historically rewarded the vigor and potential of young graduates, a silent decoupling occurred that left the newest members of the workforce navigating a

Salesforce, NiCE, and Oracle Lead ISG 2026 CXM Rankings

The modern consumer’s loyalty now hinges on a singular, invisible thread that snaps the moment a customer is forced to repeat their grievance to a third representative who has no record of the previous conversation. In a marketplace defined by hyper-competition, these fragmented experiences are no longer merely inconvenient; they are financially catastrophic for the enterprise. As organizations struggle with

Has Hyper-Measurement Killed Creativity in B2B Marketing?

The digital dashboard promised a world of absolute certainty where every marketing dollar could be tracked with surgical precision, yet many B2B brands now find themselves invisible in a sea of data-driven sameness. While marketing departments once thrived on intuition and bold storytelling, the modern era has substituted that creative spark for a reliance on real-time analytics that often prioritizes