CACTUS ransomware is a malware strain that was first discovered in the wild in March 2023. Its name is based on the ransom note that it places on victims’ computers, which is named cAcTuS.readme.txt. The malware also creates encrypted files with the .cts1 extension, where the number at the end of the extension can vary.
CACTUS ransomware usually exploits vulnerabilities in virtual private network (VPN) software to gain access to a target environment. After gaining access to the system, the malware establishes command and control (C2) communications with its operator via SSH. It also takes advantage of Scheduled Tasks on the infected system to maintain persistence across reboots.
With a footprint on the target network, the malware uses network scanning to identify potential targets for infection on the network. It then uses various methods to steal user credentials, such as collecting them from web browsers and dumping them from LSASS. These compromised credentials are then used to gain the required level of access to perform the attack. This includes adding or accessing accounts on remote devices that the malware can use to spread itself through the network.
Once on a device, the malware uses msiexec to uninstall common antivirus software. The malware also incorporates various techniques designed to protect it against detection, including the distribution of the malware in an encrypted form that requires an AES key to unpack. This technique is likely designed to protect against analysis of the malware since researchers and sandboxes may not have collected the appropriate decryption key alongside their copy of the malware or are unaware of the configuration parameters required to trigger its malicious functionality.
CACTUS is an example of a double-extortion ransomware variant. In addition to encrypting data — with a combination of RSA and AES — the malware also attempts to exfiltrate it. It has been observed to use Rclone for this, which moves stolen files to cloud storage. Once encryption and exfiltration are complete, the malware posts ransom notes on the user’s computer.
CACTUS ransomware uses known VPN vulnerabilities to gain access to its victims, which limits its pool of potential targets to those organizations using known vulnerable VPN appliances. Additionally, CACTUS has primarily been observed to target large enterprises, which have the resources required to meet a large ransom request.
CACTUS is an example of a ransomware variant designed to attack corporate networks while using various evasion techniques to fly under the radar. Some security best practices that organizations can implement to protect against this threat include:
Ransomware has become one of the most significant threats to organizations’ data, reputation, and bottom line. The modern ransomware attack not only threatens access to data via encryption but also incorporates data theft and shaming to increase the pressure on organizations to pay the demanded ransom.
However, ransomware like CACTUS is only one of several cybersecurity threats that companies face. To learn more about the extent of the current cyber threat landscape, check out Check Point’s 2024 Cyber Security Report.
Check Point Harmony Endpoint offers organizations the tools that they need to protect against ransomware and other potential threats to their endpoints and data. Its prevention-focused approach to security is designed to identify and eradicate the threat before it can encrypt or leak sensitive data. To learn more about Harmony Endpoint’s capabilities and how it can enhance your organization’s defenses against ransomware, request a free demo.