CACTUS ransomware targets businesses via VPN exploits and encrypts data. Learn how it works, what it steals, and how to protect your organization with strong security practices.
CACTUS ransomware usually exploits vulnerabilities in virtual private network (VPN) software to gain access to a target environment. After gaining access to the system, the malware establishes command and control (C2) communications with its operator via SSH. It also uses Scheduled Tasks on the infected system to maintain persistence across reboots.
With a footprint on the target network, the malware uses network scanning to identify potential targets for infection. It then uses various methods to steal user credentials, such as collecting them from web browsers and dumping them from LSASS. These compromised credentials are then used to gain the required level of access to perform the attack. This includes adding or accessing accounts on remote devices that the malware can use to spread itself through the network.
Once on a device, the malware uses msiexec to uninstall common antivirus software. The malware also incorporates various techniques designed to protect it against detection, including the distribution of the malware in an encrypted form that requires an AES key to unpack. This technique is likely designed to protect against malware analysis since researchers and sandboxes may not have collected the appropriate decryption key alongside their malware copy or are unaware of the configuration parameters required to trigger its malicious functionality.
CACTUS is an example of a double-extortion ransomware variant. In addition to encrypting data — with a combination of RSA and AES — the malware also attempts to exfiltrate it. It has been observed to use Rclone for this, which moves stolen files to cloud storage. Once encryption and exfiltration are complete, the malware posts ransom notes on the user’s computer.
What Does CACTUS Ransomware Target?
CACTUS ransomware uses known VPN vulnerabilities to gain access to its victims, which limits its pool of potential targets to those organizations using known vulnerable VPN appliances. Additionally, CACTUS has primarily been observed to target large enterprises with the resources required to meet a large ransom request.
Also Read: What’s Next for Cybersecurity? An Industry Insider’s Look
How to Protect Against CACTUS Ransomware
CACTUS is an example of a ransomware variant designed to attack corporate networks while using various evasion techniques to fly under the radar. Some security best practices that organizations can implement to protect against this threat include:
- Patch Management:Â CACTUS ransomware primarily infects systems by exploiting known vulnerabilities in unpatched VPN systems. Promptly applying updates and patches when they become available can prevent the malware from using this access vector.
- Strong Authentication: This ransomware often attempts to steal credentials from browsers and LSASS to gain the access and privileges necessary to accomplish its objectives. Implementing multi-factor authentication (MFA) for user accounts can prevent CACTUS from using the passwords it steals from an infected computer.
- Employee Education: CACTUS exploits password reuse by dumping passwords from various sources on an infected computer. Training employees on account security, and best practices can help to reduce or eliminate this threat.
- Network Segmentation: CACTUS attempts to move laterally through the network using accounts it created or compromised from an infected computer. Network segmentation isolates high-value systems from the rest of the network, making them more difficult for attackers to access.
- Network Security:Â This ransomware uses network scanning and remote access tools to move through the network. Network monitoring and security solutions can identify and block these attempts at lateral movement.
- Anti-Ransomware Solutions: CACTUS attempts to encrypt sensitive files and exfiltrate them via cloud storage. Anti-ransomware solutions can identify this malicious behavior and eradicate the malware infection.
