Campaigns
From Data Insights to Cyber Threats: The Tale of Qlik Sense and Cactus Ransomware

From Data Insights to Cyber Threats: The Tale of Qlik Sense and Cactus Ransomware

CactusQlik SenseManage EngineUEMSAny Desk
Cactus ransomware is a type of ransomware that has been active since March 2023, targeting large commercial organizations. Cactus attempts to identify local and network user accounts and accessible endpoints within a network. This ransomware possesses a new encryption and also employs double extortion tactics to get paid ransom. . Cactus gains initial access to targeted networks by exploiting known vulnerabilities in VPN devices. It makes detection difficult by encrypting itself, thereby successfully bypassing antivirus and network monitoring tools.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

ID

Mitigation

Description

M1038

Execution Prevention

Use application control to mitigate installation and use of unapproved software that can be used for remote access.

M1037

Filter Network Traffic

Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access software.

M1031

Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services.

ID

Mitigation

Description

M1037

Filter Network Traffic

Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.

M1031

Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. [60]

M1020

SSL/TLS Inspection

If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.

ID

Mitigation

Description

M1038

Execution Prevention

Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.

M1022

Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.

M1024

Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.

M1018

User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

Reports & References1

Observed Countries250

AD (173)
AE (739)
AF (189)
AG (583)
AI (479)
AL (176)
AM (794)
AO (546)
AQ (256)
AR (425)
AS (522)
AT (337)
AU (413)
AW (667)
AX (647)
AZ (60)
BA (318)
BB (758)
BD (810)
BE (247)
BF (709)
BG (977)
BH (449)
BI (850)
BJ (806)
BL (783)
BM (935)
BN (334)
BO (820)
BQ (769)
BR (993)
BS (121)
BT (619)
BV (330)
BW (268)
BY (820)
BZ (44)
CA (555)
CC (270)
CD (807)
CF (865)
CG (618)
CH (384)
CI (689)
CK (874)
CL (252)
CM (14)
CN (385)
CO (189)
CR (85)
CU (132)
CV (274)
CW (305)
CX (495)
CY (693)
CZ (114)
DE (10)
DJ (857)
DK (116)
DM (760)
DO (870)
DZ (652)
EC (769)
EE (81)
EG (210)
EH (727)
ER (827)
ES (873)
ET (86)
FI (529)
FJ (984)
FK (143)
FM (207)
FO (446)
FR (508)
GA (152)
GB (585)
GD (191)
GE (630)
GF (370)
GG (989)
GH (140)
GI (189)
GL (114)
GM (253)
GN (534)
GP (914)
GQ (522)
GR (410)
GS (15)
GT (336)
GU (865)
GW (292)
GY (894)
HK (162)
HM (144)
HN (231)
HR (167)
HT (69)
HU (357)
ID (65)
IE (329)
IL (772)
IM (519)
IN (351)
IO (775)
IQ (868)
IR (687)
IS (467)
IT (177)
JE (926)
JM (897)
JO (294)
JP (148)
KE (373)
KG (642)
KH (74)
KI (440)
KM (243)
KN (230)
KP (356)
KR (665)
KW (298)
KY (633)
KZ (683)
LA (534)
LB (86)
LC (946)
LI (836)
LK (839)
LR (1)
LS (503)
LT (370)
LU (58)
LV (935)
LY (567)
MA (596)
MC (661)
MD (50)
ME (669)
MF (453)
MG (900)
MH (722)
MK (835)
ML (492)
MM (618)
MN (388)
MO (767)
MP (713)
MQ (179)
MR (462)
MS (100)
MT (311)
MU (154)
MV (380)
MW (682)
MX (633)
MY (522)
MZ (971)
NA (584)
NC (387)
NE (50)
NF (405)
NG (691)
NI (119)
NL (444)
NO (232)
NP (477)
NR (392)
NU (678)
NZ (362)
OM (777)
PA (458)
PE (101)
PF (552)
PG (449)
PH (235)
PK (842)
PL (691)
PM (99)
PN (729)
PR (685)
PS (416)
PT (271)
PW (970)
PY (996)
QA (486)
RE (614)
RO (221)
RS (204)
RU (834)
RW (876)
SA (941)
SB (192)
SC (756)
SD (63)
SE (457)
SG (735)
SH (769)
SI (512)
SJ (640)
SK (877)
SL (716)
SM (384)
SN (882)
SO (415)
SR (621)
SS (558)
ST (648)
SV (124)
SX (720)
SY (532)
SZ (442)
TC (971)
TD (933)
TF (161)
TG (629)
TH (742)
TJ (588)
TK (316)
TL (18)
TM (594)
TN (191)
TO (233)
TR (970)
TT (357)
TV (24)
TW (936)
TZ (252)
UA (431)
UG (33)
UM (239)
US (164)
UY (450)
UZ (952)
VA (861)
VC (174)
VE (570)
VG (640)
VI (667)
VN (972)
VU (167)
WF (102)
WS (899)
XK (613)
YE (936)
YT (307)
ZA (307)
ZM (134)
ZW (588)