Cactus Ransomware

The Cactus Ransomware Encrypts Itself To Avoid Detection

In action from 2023’s March, the Cactus Ransomware differs from other operating ransomware variables in the market. As per researchers, this particular is known to exploit the vulnerabilities in Fortinet VPN to access the victim’s network. So far, it has targeted “large commercial entities” claiming money from those. The fact that the ransomware has been able to decode its encryption technique to avoid detection makes it stand out from the rest.

But before you get into further details regarding Cactus ransomware and its impressive feature list, let’s help you recapitulate the primary concept of ransomware.

What Is Ransomware?

In simple words, ransomware restricts users from accessing the files and folders stored in their computers over an encrypted password. The attackers ask for money, and in return, they provide a description code. At times ransomware attacks also come as attacks causing data theft, erasing and leaking confidential information.

What Is The Mode Of Operation For Cactus Ransomware?

As previously mentioned, Cactus encrypts itself to avoid detection by antivirus software. As recorded by cybersecurity experts, the hackers manage to enter the victim’s target network. They exploit the existing security flaws in the VPN appliances and “compromised service accounts” on the VPN servers.

Further, the operators of the Cactus ransomware use a batch script, which enables the program to acquire an encryptor binary over 7-Zip (a much-known compression tool). Once the task of binary extraction is complete, the initial ZIP archive gets eliminated. Now, it’s time for the binary to get executed with a specific parameter. Thus making it difficult for any antivirus software to defect the underlying threat.

Also, reports suggest that the attackers used three different execution modes to start operating.

  • -s (setup) – To store data and execute the setup in C:\ProgramData\ntuser.dat file.
  • -r (read configuration) – To load a configuration file and command line arguments.
  • -i (encryption) – It is used to supply a unique AES key to execute file encryption. This key is also used to decrypt the ransomware’s main file configuration and the related public RSA used to encrypt files. Further, there is a HEX string with the key embedded into the encryptor’s binary, which, when decoded, will offer access to the encrypted data.

Files And Extensions Used By Cactus Ransomware To Target Companies

As per Michael Gillespie, ransomware uses various extensions for the target files based on their processing states. Also, there is a quick mode of the same, which is similar to another light encryption pass.

The technique is to consecutively run the malware in normal and quick mode, encrypting the same file twice. Thus appending an extension after each process.

Cactus Ransomware
Ransomware continued to be the most common form of malware in 2022

Once inside the network, Cactus ransomware uses scheduled tasks for continued access over an SSH backdoor accessible from the control and command server (C2). All the minds behind the particular program rely on SoftPerfect Network Scanner to segregate essential targets on the network. Further, the hackers

  • Enumerate endpoints over PowerShell commands.
  • Use Windows Event Viewer to identify user accounts and ping remote hosts.

There are traces of the program using a modified version of the open-source PSnmap Tool. This stands as equivalent to PowerShell. Some of the legitimate remote access tools put into use by cactus ransomware so far are

  • AnyDesk
  • Splashtop
  • SuperOps RMM
  • Proxy tool Chisel
  • Cobalt Strike

How Does Cactus Ransomware Operates?

After accessing a particular machine, the Cactus Ransomware uninstalls all the commonly used antivirus programs by running a batch script.

Similar to other ransomware operations, Cactus steals data from its victims. But uses the Reclone tool to transfer all the collected files to dedicated cloud storage. Following the data exfiltration process, the hackers over TotalExec – A PowerShell script automates the deployment of the encryption process.

There is no specific information about the amount Cactus ransomware collects from its victims, but sources have revealed they are in lakhs. Also, the victims are threatened that their confidential data will be published if not paid.

Life seems easy with generative AI models like Auto GPT and smart wearables on board. However, incidents like these make humankind question the future they are moving into. Seeking answers to questions like “Are we safe?”

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top