In a concerning turn of events, a relatively new ransomware group known as the Cactus ransomware group has recently added five high-profile victims to their dark web leak site.
Victims from diverse regions around the globe and across a range of industries have become ensnared in the mysterious cyber threat’s intricate web.
The affected entities include Seymours, Groupe Promotrans, MINEMAN Systems, Maxxd Trailers, and Marfrig Global Foods.
The Cactus ransomware group promptly flaunted their acquired assets, openly identifying their victims and providing brief descriptions of each on their dark web channel.
Cactus ransomware group targets multiple firms
The first on the list of victims is Seymours, a renowned Surrey estate agent with a strong presence in the region.
Seymours boasts six offices situated strategically in Ripley, Guildford, Burpham, Woking, and West Byfleet, with one dedicated to the management and letting of properties available for sale.
The second victim, Promotrans, operates within the Professional Training and coaching sector.
With a workforce ranging from 251 to 500 individuals and a revenue stream estimated at $25 million to $50 million, Promotrans is a prominent player in the industry.
The company is headquartered in the vibrant city of Paris, Île-de-France, France.
MAXXD Trailers, the following entity on the list, operates as a subsidiary of Maxey Trailers Mfg. Inc., a Texan company established in 1999.
Starting as a one-person operation, Maxey Trailers has grown substantially, employing 70 dedicated individuals responsible for producing a staggering 5,000 trailers annually. Their reach extends across the United States and Canada.
Marfrig Global Foods, another victim of the Cactus ransomware group, is the second largest Brazilian food processing company, after JBS and specializes in processing beef products.
The last victim mentioned, MINEMAN Systems, holds a crucial role in marketing concentrates and metals sourced from mining operations.
The Cyber Express reached out to the affected companies to obtain their official responses or statements regarding these cyber attacks.
However, at the time of writing, no official response had been received from these corporations, leaving the claims of the cyber attacks unverified.
Modus operandi of the Cactus ransomware group
The emergence of the Cactus ransomware group is nothing less than mysterious. This new threat actor has quickly gained notoriety in the dark web markets for its sophisticated tactics.
The CACTUS cybercriminal group primarily focuses on VPN appliances for initial access and the installation of backdoors.
In their attacks thus far, they have exploited known vulnerabilities in VPN appliances, seamlessly maneuvering through various systems.
The group’s name, ‘CACTUS,’ stems from the filename provided within their ransom note, ‘cAcTuS.readme.txt,’ and their self-declared moniker within the same note.
Encrypted files are marked with the extension ‘.cts1,’ although it is worth noting that the number at the end of the extension may vary across incidents and victims.
CACTUS’s modus operandi involves gaining initial access to a VPN appliance using a service account, followed by deploying an SSH backdoor connected to their command-and-control (C2) server. This backdoor execution occurs via a scheduled task.
Subsequently, the threat actors engage in a comprehensive network survey, employing a commercial Windows network scanner by an Australian company named SoftPerfect.
Further PowerShell commands and scripts are utilized to enumerate networked computers and extract user accounts from the Windows Security event log.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.