A new ransomware strain called CACTUS has been discovered by cybersecurity researchers. This malware is leveraging known flaws in VPN appliances to gain initial access to targeted networks. Once inside the network, CACTUS actors enumerate local and network user accounts, then create new user accounts and leverage custom scripts to deploy the ransomware encryptor via scheduled tasks. CACTUS has been targeting large commercial entities since March 2023, with attacks employing double extortion tactics to steal sensitive data prior to encryption.
A novel aspect of CACTUS is that it essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools. The malware uses a vulnerability in a popular VPN appliance, indicating that threat actors continue to target remote access services and unpatched vulnerabilities for initial access.
The ransomware deployment is achieved by means of a PowerShell script that has also been used by the Black Basta group. CACTUS attacks also utilize Cobalt Strike and a tunneling tool referred to as Chisel for command-and-control, alongside remote monitoring and management software like AnyDesk to push files to the infected hosts.
CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks. It is imperative that companies take steps to keep systems up-to-date and enforce the principle of least privilege to prevent these types of attacks.
In conclusion, CACTUS is a new ransomware strain that is exploiting VPN weaknesses to target large commercial entities. Its unique feature of self-encryption makes it harder to detect and evade antivirus and network monitoring tools. Companies should prioritize updating their systems and enforcing the principle of least privilege to prevent these types of attacks.
The ransomware deployment is achieved by means of a PowerShell script that has also been used by the Black Basta group. CACTUS attacks also utilize Cobalt Strike and a tunneling tool referred to as Chisel for command-and-control, alongside remote monitoring and management software like AnyDesk to push files to the infected hosts.
CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks. It is imperative that companies take steps to keep systems up-to-date and enforce the principle of least privilege to prevent these types of attacks.
In conclusion, CACTUS is a new ransomware strain that is exploiting VPN weaknesses to target large commercial entities. Its unique feature of self-encryption makes it harder to detect and evade antivirus and network monitoring tools. Companies should prioritize updating their systems and enforcing the principle of least privilege to prevent these types of attacks.
Author
Write something about yourself. No need to be fancy, just an overview.
RSS Feed
