Date: 10 May 2023

Threat Actor

Cactus

Description

A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.”

The Cactus ransomware operation has been active since at least March and is looking for big payouts from its victims.

While the new threat actor adopted the usual tactics seen in ransomware attacks - file encryption and data theft - it added its own touch to avoid detection.

Cactus ransom note threatens with publishing stolen data

Cactus ransomware TTPs

Technical Summary of Cactus

Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances.

What sets Cactus apart from other operations is the use of encryption to protect the ransomware binary. The actor uses a batch script to obtain the encryptor binary using 7-Zip.

The original ZIP archive is removed and the binary is deployed with a specific flag that allows it to execute. The entire process is unusual and the researchers that this is to prevent the detection of the ransomware encryptor.

There are three main modes of execution, each one selected with the use of a specific command line switch: setup (-s), read configuration (-r), and encryption (-i).

The -s and -r arguments allow the threat actors to setup persistence and store data in a C:\ProgramData\ntuser.dat file that is later read by the encryptor when running with the -r command line argument.

For the file encryption to be possible, though, a unique AES key known only to the attackers must be provided using the -i command line argument.

This key is necessary to decrypt the ransomware's configuration file and the public RSA key needed to encrypt files. It is available as a HEX string hardcoded in the encryptor binary.

Running the binary with the correct key for the -i (encryption) parameter unlocks the information and allows the malware to search for files and start a multi-thread encryption process.

CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools.

Reference

https://www.bleepingcomputer.com/news/security/new-cactus-ransomware-encrypts-itself-to-evade-antivirus/