Cybersecurity researchers have shed light on a new ransomware strain called CACTUS that has been found to leverage known flaws in VPN appliances to obtain initial access to targeted networks.
“Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks,” Kroll said in a report shared with The Hacker News.
The ransomware has been observed targeting large commercial entities since March 2023, with attacks employing double extortion tactics to steal sensitive data prior to encryption. No data leak site has been identified to date.
Following a successful exploitation of vulnerable VPN devices, an SSH backdoor is set up to maintain persistent access and a series of PowerShell commands are executed to conduct network scanning and identify a list of machines for encryption.
CACTUS attacks also utilize Cobalt Strike and a tunneling tool referred to as Chisel for command-and-control, alongside remote monitoring and management (RMM) software like AnyDesk to push files to the infected hosts.
Also taken are steps to disable and uninstall security solutions as well as extract credentials from web browsers and the Local Security Authority Subsystem Service (LSASS) for escalating privileges.
Privilege escalation is succeeded by lateral movement, data exfiltration, and ransomware deployment, the last of which is achieved by means of a PowerShell script that has also been used by Black Basta.
A novel aspect of CACTUS is the use of a batch script to extract the ransomware binary with 7-Zip, followed by removing the .7z archive before executing the payload.
“CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, associate managing director for cyber risk at Kroll, told The Hacker News.
“This new ransomware variant under the name CACTUS leverages a vulnerability in a popular VPN appliance, showing threat actors continue to target remote access services and unpatched vulnerabilities for initial access.”
The development comes days after Trend Micro shed light on another type of ransomware known as Rapture that bears some similarities to other families such as Paradise.
“The whole infection chain spans three to five days at most,” the company said, with the initial reconnaissance followed by the deployment of Cobalt Strike, which is then used to drop the .NET-based ransomware.
Learn to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
Save My Seat!
The intrusion is suspected to be facilitated through vulnerable public-facing websites and servers, making it imperative that companies take steps to keep systems up-to-date and enforce the principle of least privilege (PoLP).
“Although its operators use tools and resources that are readily available, they have managed to use them in a way that enhances Rapture’s capabilities by making it stealthier and more difficult to analyze,” Trend Micro said.
CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks, including Gazprom, BlackBit, UNIZA, Akira, and a NoCry ransomware variant called Kadavro Vector.