Apr 17, 2024
Dark Web Profile: Cactus Ransomware
A new plant has grown in the desert of cyber threats, wielding its thorns to pierce through organizations and individuals alike. The Cactus Ransomware Group, a name recently whispered with curiosity across the cybersecurity realm, has emerged from the shadows, sowing seeds of chaos and disruption in its wake. With a prickly demeanor, this threat actor has meticulously crafted its ransomware to not only encrypt but also entangle itself within the fabric of digital security, evading detection with a finesse that demands a closer look.
Threat actor card of Cactus Ransomware
Much like its namesake in the natural world, the Cactus Ransomware does not merely sit idly; it poses a latent threat, waiting for the opportune moment to strike. Employing a unique encryption technique that encrypts the ransomware binary itself, Cactus ensures its malicious endeavors go unnoticed by antivirus solutions, allowing it to propagate and establish a stronghold within the compromised system.
In this exploration, we delve into the intricate layers of Cactus Ransomware, unraveling its mechanisms, targets, and the prickly path it treads upon in the vast landscape of cyber espionage and malicious activities. Through our analysis, we aim to shed light on the dark corners where Cactus Ransomware blossoms, providing insights and recommendations to safely navigate through its thorny presence.
Who is Cactus Ransomware?
The Cactus Ransomware Group, first identified in March 2023, has rapidly spread its spines across the digital domain, exploiting vulnerabilities, particularly within VPNs, to gain unauthorized access and establish a foothold within compromised infrastructures. The group has demonstrated a sophisticated understanding of evasion techniques, employing a dynamic approach to encryption and utilizing many tools and techniques to ensure its malicious payload is delivered effectively and covertly.
Fig. 1. Illustration of Cactus Ransomware, generated using DALL-E 3
Cactus does not just stop at encryption. The threat actor ensures its presence is deeply rooted within the compromised system, employing a complex infection chain and utilizing multiple layers of obfuscation to conceal its activities. From using UPX packing and leveraging encryption algorithms like OpenSSL, AES OCB, and ChaCha20_Poly1305 to organizing restart executions and enumerating network shares, Cactus demonstrates a multifaceted approach to its attacks, ensuring that its activities are not only successful but also remain surrounded in secretiveness.
How does the Cactus Ransomware Attack?
The group has demonstrated an ability to hit stealthily, ensuring its malicious attempts remain concealed beneath a cover of sophistication and complexity. Here are the phases cactus ransomware follows when it is operating:
The Initial Access
Cactus Ransomware exploits vulnerabilities in VPN devices, paving a secret path into the target’s infrastructure. The initial access is indicated by the exploitation of VPN vulnerabilities, followed by the creation of an SSH backdoor, which not only facilitates unauthorized access but also ensures a persistent presence within the compromised network.
The Infection Chain
The infection chain of Cactus is a complicated journey through multiple layers of obfuscation and evasion. Employing a batch script to execute the ransomware sample using 7-Zip, Cactus encrypts itself, evading detection mechanisms and embedding itself within the system. The attack chain is multifaceted, involving a series of steps that include exploiting VPN vulnerabilities, utilizing remote access tools like Splashtop or AnyDesk, managing operations with SuperOps RMM software, simulating attacks with Cobalt Strike, establishing encrypted communication channels with Chisel, and exfiltrating credentials.
Encryption Phase
Once embedded, Cactus Ransomware follows a path of encryption. The ransomware employs AES-256-GCM and RSA-4096 encryption algorithms, ensuring the victim’s files are securely encrypted, amplifying the attack’s impact. The ransom note, named “cAcTuS.readme.txt“, is then released, planting seeds of panic and urgency within the victim.
Fig. 2. Ransom note of Cactus Ransomware
Data Exfiltration and Leaks
Cactus does not merely stop at encryption. The threat actor ensures that its venomous spines reach far and wide, threatening to publish the victim’s data on its data leak portal if the ransom is not paid, which is called the double extortion method. The data leak portal, a dark web domain, becomes a threat to the victims, ensuring that the attack’s implications extend beyond encryption, permeating into data integrity and reputation damage.
Persistence
Cactus Ransomware ensures its persistent presence within the compromised system by creating a scheduled task named “Updates Check Task” that runs every 5 minutes, thereby running the ransomware as SYSTEM and ensuring that its malicious activities continue without a problem.
Structure of Cactus Ransomware
Now, if we move on to the structure of the Cactus:
The sample we can access from the internet is the GNU linker. Looking at the details, we can observe that the language it was developed in is C/C++.
Our sample’s hash is:
SHA256: 78c16de9fc07f1d0375a093903f86583a4e32037a7da8aa2f90ecb15c4862c17
Fig. 3. Detect It Easy output showing that Cactus ransomware is developed in C/C++
A Quick Look at Cactus Ransomware’s TOR site
When we access Cactus Ransomware’s TOR site, we are greeted by the main page listing victim shares.
Fig. 4. Main page of Cactus Ransomware TOR site
When we access Cactus Ransomware’s TOR site, we are greeted by the main page listing victim shares. At the top, a search box and buttons take you to the “Home” and “Contact” sections.
Clicking on any victim on the main page opens the victim detail page, which includes information about Cactus’ victim, a download link to the data leaked by Cactus, and evidentiary images:
Fig. 5. Victim details page of one of the Cactus Ransomware’s victims
As we click on the Contact page above, we are greeted with a link to the sonar message platform to access “Cactus Support”.
Fig. 6. Contact page of Cactus Ransomware TOR site
When we follow the Sonar message link, there are message boxes for us to reach Cactus:
Fig. 7. Sonar Message TOR page set for Cactus Support
What are the targets of Cactus Ransomware?
Navigating through the dry landscapes sculpted by the Cactus Ransomware Group, we encounter many targets. The targets paint a picture of a threat actor that is not bound by geographical or sectoral limitations but rather one that spreads its spines far and wide.
Target Sectors:
The sectors targeted by the Cactus Ransomware Group are as diverse as they are numerous. From financial entities to law firms, Cactus has ensured that its thorns prick through various sectors of our digital world. But mostly, the group targeted organizations that operate in Manufacturing and Professional Services.
Fig. 8. Distribution of Industries Affected by Cactus Ransomware
Target Countries:
With its global attribute, Cactus Ransomware does not confine its malicious endeavors to a specific geographical locale. Its spines have pierced through various countries.
Fig. 9. Countries Affected by Cactus Ransomware (Source: SOCRadar)
Looking at the distribution of the victim countries, the United States is targeted mostly (51.9%) by the Cactus Ransomware.
Fig. 10. Distribution of countries affected by Cactus Ransomware (Source: SOCRadar)
Latest Activities of Cactus Ransomware
The Hurley Group:
Fig. 11. The Hurley Group’s Victim post of Cactus Ransomware
RICOR Global Limited:
Fig. 12. RICOR’s victim post of Cactus Ransomware
Conclusion
The Cactus Ransomware Group poses a significant threat in the cyber landscape. They have established themselves as a major cyber adversary using advanced encryption techniques, evasion strategies, and diverse attack methods. They have successfully attacked various sectors globally, demonstrating their ability to penetrate and remain within systems, causing chaos and disruption. Victims face encryption challenges and the potential public exposure of their data on Cactus’s leak portal, jeopardizing data integrity, confidentiality, and organizational reputation. It is crucial to understand Cactus Ransomware’s tactics to combat this threat and equip ourselves with the necessary knowledge and tools to protect against it. The next section will provide security recommendations to defend against Cactus Ransomware’s malicious activities.
Fig. 13. Threat Actor/Malware page of Cactus Ransomware (Source: SOCRadar)
Security Recommendations Against Cactus Ransomware
Navigating through the dangerous desert sculpted by the Cactus Ransomware Group necessitates not only an understanding of its prickly paths but also the armament of robust defenses to safeguard against its venomous spines. As we tread cautiously through the thorny terrains, let’s explore various security recommendations to shield against the multifaceted threats posed by Cactus Ransomware.
Patching and Updating: A Shield Against Vulnerabilities
Prioritize VPN Security: Ensure that all VPN softwares/devices are patched and updated to shield against vulnerabilities exploited by Cactus.
Regular Updates: Consistently update all software, systems, and applications to fortify defenses against potential breaches.
- Enhanced Detection Mechanisms: Unveiling the Concealed Threat
Antivirus Solutions: Employ robust antivirus and EDR/EPP solutions capable of detecting and mitigating threats posed by self-encrypting ransomware binaries.
Behavioral Analysis: Utilize tools, including EDR (Endpoint Detection and Response) and EPP (Endpoint Protection Platform), that perform behavioral analysis to detect anomalous activities indicative of a ransomware attack.
- Data Protection: Safeguarding the Lifeblood of Operations
Regular Backups: Ensure that data is backed up regularly and that backup systems are isolated from the network to safeguard against encryption.
Data Encryption: Employ data encryption to protect sensitive information from potential leaks and unauthorized access.
- User Awareness and Training: Armoring the Human Element
Phishing Awareness: Conduct training sessions to enhance user awareness regarding phishing emails, which are often utilized by Cactus for initial access.
Safe Practices: Educate users on safe online practices to mitigate the risk of inadvertently facilitating a breach.
- Network Security: Fortifying the Digital Perimeter
Network Segmentation: Employ network segmentation to contain the spread of ransomware in the event of a breach.
Secure Configurations: Ensure that systems and networks are securely configured to shield against potential infiltrations.
- Incident Response Plan: Navigating Through the Crisis
Develop and Test: Formulate an incident response plan and ensure that it is tested and updated regularly to effectively navigate through a crisis.
Communication Channels: Establish secure communication channels to coordinate response efforts in the event of a ransomware attack.
- Legal and Regulatory Compliance: Navigating Through the Repercussions
Data Breach Protocols: Ensure that data breach protocols are in place and comply with legal and regulatory requirements pertaining to data exposure and leaks.
Notification Procedures: Establish procedures to notify affected parties and relevant authorities in the event of a data breach.
- Leveraging Cyber Threat Intelligence: A Beacon in the Desert
Utilize Threat Intelligence: Leverage cyber threat intelligence to gain insights into the tactics, techniques, and procedures (TTPs) employed by Cactus Ransomware.
SOCRadar’s Insights: Utilize SOCRadar to stay abreast of the latest developments and threats posed by threat actors like the Cactus Ransomware Group, ensuring that defenses are continually updated and fortified against emerging threats.
MITRE ATT&CK TTPs of Cactus Ransomware
| Technique | ID |
| Initial Access | |
| Exploit Public-Facing Application | T1190 |
| Execution | |
| Command and Scripting Interpreter | T1059 |
| Windows Management Instrumentation | T1047 |
| Shared Modules | T1129 |
| Software Deployment Tools | T1072 |
| Persistence | |
| DLL Side-Loading | T1574.002 |
| Scheduled Task/Job | T1053 |
| Scheduled Task | T1053.005 |
| Create Account | T1136 |
| Privilege Escalation | |
| Process Injection | T1055 |
| DLL Side-Loading | T1574.002 |
| Defense Evasion | |
| Process Injection | T1055 |
| Obfuscated Files or Information | T1027 |
| Masquerading | T1036 |
| Virtualization/Sandbox Evasion | T1497 |
| Hidden Files and Directories | T1564.001 |
| DLL Side-Loading | T1574.002 |
| Impair Defenses | T1562 |
| Disable or Modify Tools | T1562.001 |
| Obfuscated Files or Information | T1027 |
| Software Packing | T1027.002 |
| Credential Access | |
| Input Capture | T1056 |
| Credentials from Password Stores | T1555 |
| Credentials from Web Browsers | T1555.003 |
| OS Credential Dumping | T1003 |
| Discovery | |
| System Information Discovery | T1082 |
| Security Software Discovery | T1518.001 |
| Remote System Discovery | T1018 |
| Process Discovery | T1057 |
| File and Directory Discovery | T1083 |
| Virtualization/Sandbox Evasion | T1497 |
| System Network Connections Discovery | T1049 |
| Account Discovery | T1087 |
| Domain Account | T1087.002 |
| Lateral Movement | |
| Remote Services | T1021 |
| Remote Services: Remote Desktop Protocol | T1021.001 |
| Lateral Tool Transfer | T1570 |
| Collection | |
| Input Capture | T1056 |
| Automated Collection | T1119 |
| Command and Control | |
| Application Layer Protocol | T1071 |
| Non-Application Layer Protocol | T1095 |
| Non-Standard Port | T1571 |
| Encrypted Channel | T1573 |
| Remote Access Software | T1219 |
| Proxy | T1090 |
| Exfiltration | |
| Exfiltration Over Web Service | T1567 |
| Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 |
| Impact | |
| Data Encrypted for Impact | T1486 |
Cactus Ransomware IoCs
| IP | 163.123.142[.]213 |
| HASH | b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767b |
| HASH | 5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371 |
| HASH | 78c16de9fc07f1d0375a093903f86583a4e32037a7da8aa2f90ecb15c4862c17 |
| HASH | 248795453ceb95e39db633285651f7204813ea3a |
| HASH | 6715b888a280d54de9a8482e40444087fd4d5fe8 |
| HASH | 78aea93137be5f10e9281dd578a3ba73 |
Related Articles
Subscribe to our newsletter and stay updated on the latest insights!
