Cactus Ransomware: Decrypting the Tactics of the Latest Cyberthreat

Cactus Ransomware is a newly identified and sophisticated strain that has been actively targeting large commercial entities since March 2023. Named after the distinctive filename used in its ransom note, “cAcTuS.readme.txt,” this malicious software employs advanced tactics to infiltrate and compromise networks.

Notably, Cactus stands out for its unique approach to encryption, requiring a specific key stored within a file named ntuser.dat for successful execution. This strategic use of encryption adds an extra layer of complexity, likely intended to evade traditional antivirus detection methods.

The ransomware is characterized by its deployment of various tools and techniques, including Chisel, Rclone, TotalExec, Scheduled Tasks, and custom scripts. These are employed to disable security software and distribute the ransomware binary efficiently.

Cactus demonstrates a high level of adaptability, utilizing documented vulnerabilities in VPN appliances as an initial access point and leveraging a combination of PowerShell commands and external tools for internal reconnaissance.

Timeline and Active Period Since March 2023

Cactus Ransomware has been actively operational since March 2023, marking its presence with a series of targeted attacks on large commercial entities. The timeline of its activities reveals a persistent and evolving threat landscape. The threat actors behind Cactus have demonstrated a consistent modus operandi:

Initial Access (March 2023):

• Exploitation of documented vulnerabilities in VPN appliances.
• Establishment of an SSH backdoor for persistent access via Scheduled Tasks.

Internal Scouting Tactics:

• Use of SoftPerfect Network Scanner and PowerShell commands for endpoint enumeration.
• Identification of user accounts through Windows Security 4624 events.
• Ping commands for reaching remote endpoints.

Toolkit Deployment for Persistence:

• Utilization of legitimate remote access tools (Splashtop, AnyDesk, SuperOps RMM).
• Deployment of Cobalt Strike and Chisel (a SOCKS5 proxy tool) for hidden communications.

Escalation Techniques:

• Dumping of credentials from web browsers.
• Manual searches for password-containing files on the disk.
• Potential LSASS credential dumping for privilege escalation.

Lateral Movement Strategies:

• Utilization of valid and created accounts.
• Deployment of Remote Desktop Protocol (RDP) and management tools like Super Ops.

Mission Execution – Ransomware Deployment:

• Encryption of files with a unique “.cts\d” extension.
• Exfiltration of sensitive data using tools like Rclone for automatic extraction to cloud storage.

Cactus Ransomware Tactics and Techniques

a.      Initial Exploit

Targeting VPN Appliance Vulnerabilities:

Cactus Ransomware employs a strategic approach by exploiting documented vulnerabilities in VPN appliances. This initial access point provides threat actors with a foothold in the target network, allowing them to proceed with their malicious activities.

Establishing SSH Backdoor Access:

Following the successful exploitation of VPN vulnerabilities, Cactus establishes an SSH backdoor for persistent access. This backdoor is created via Scheduled Tasks, ensuring a reliable and concealed entry point for threat actors.

b.     Internal Scouting

SoftPerfect Network Scanner and PowerShell Commands:

Cactus engages in comprehensive internal scouting using tools like SoftPerfect Network Scanner. PowerShell commands are executed to enumerate network endpoints, identify user accounts through Windows Security 4624 events, and ping remote endpoints. The output from these commands is systematically saved for later use.

Identification of Network Endpoints:

The threat actors utilize PowerShell commands to gather information about the network, including endpoint enumeration. Additionally, a modified version of an open-sourced script named PSnmap.ps1, acting as an NMAP equivalent for PowerShell, is executed to identify other endpoints within the network.

c.      Toolkit Deployment

Remote Access Methods and Proxy Tools:

To maintain persistence within the compromised environment, Cactus deploys a variety of remote access tools, including legitimate ones like Splashtop, AnyDesk, and SuperOps RMM. Additionally, the threat actors utilize proxy tools such as Chisel, a SOCKS5 proxy, to tunnel traffic through firewalls for hidden communications with their command-and-control server.

Scripted Anti-Virus Software Uninstallation:

Once the threat actors have attained the desired level of access, they execute a batch script that leverages msiexec to uninstall common anti-virus software. This scripted approach, including the use of Bitdefender uninstaller in some instances, aims to disable security measures and clear the way for ransomware deployment.

d.     Escalation

Credential Dumping and Privilege Escalation Batch Script:

To escalate privileges, Cactus commonly attempts to dump credentials from user web browsers. The threat actors then utilize a batch script to add privileged accounts to remote endpoints. This includes the creation of a new admin user account, activation, and addition to the Administrators group. The script also modifies registry settings to facilitate auto-logon and schedule the execution of additional scripts during system restart.

How Cactus Ransomware Moves Laterally within Compromised Networks/Systems

Account-Based and RDP Lateral Movement

Cactus Ransomware employs a variety of lateral movement techniques to expand its presence within the compromised network:

1. Account-Based Lateral Movement:

Threat actors utilize both valid and created accounts to move laterally within the network. By leveraging these accounts, they navigate through different systems and escalate privileges, enabling further access to sensitive areas.

1. Remote Desktop Protocol (RDP):

Cactus utilizes the Remote Desktop Protocol (RDP) as a means of lateral movement. This involves the threat actors accessing and controlling remote systems within the network, extending their reach and potentially compromising additional endpoints.

Use of Remote Management Tools (e.g., Super Ops)

To streamline and enhance their lateral movement capabilities, Cactus Ransomware leverages remote management tools, exemplified by Super Ops. These tools provide threat actors with sophisticated capabilities for remote administration and control over compromised systems. Key aspects of this lateral movement strategy include:

Legitimate Remote Management Tools:

Cactus makes strategic use of legitimate remote management tools such as Super Ops. These tools are often intended for legitimate purposes, allowing administrators to manage and troubleshoot systems remotely. However, in the hands of threat actors, they become powerful instruments for unauthorized access and control.

Increased Stealth and Efficiency:

Remote management tools like Super Ops offer threat actors a stealthy way to move laterally within the network. By leveraging these tools, the ransomware operators can navigate through the network infrastructure with heightened efficiency, potentially accessing critical systems and data.

Cactus’s utilization of both account-based lateral movement and tools like RDP and Super Ops underscores its adaptability and determination to maximize its reach within the compromised environment.

Mission Execution and Ransomware Deployment

Sensitive Data Exfiltration

Leveraging Tools Like Rclone for Cloud Storage:

Cactus Ransomware incorporates a data exfiltration strategy to increase the pressure for extortion. The threat actors leverage tools such as Rclone, which automates the extraction of files to cloud storage. This process allows the ransomware operators to remove sensitive data from the compromised network, potentially giving them leverage in negotiations.

Ransomware Execution

TotalExec.ps1 and PsExec Deployment:

Cactus employs a scripted approach to execute its ransomware, utilizing TotalExec.ps1 and PsExec. TotalExec.ps1 acts as an automation tool, facilitating the deployment of the ransomware encryptor across multiple devices. PsExec is employed to remotely execute processes on target machines, enabling the threat actors to maintain control over the ransomware deployment.

Encryption Mode and File Encryption Process:

The ransomware enters an encryption mode where it decodes a hard-coded hex string, initiating the file encryption process. Cactus utilizes the AES algorithm for file encryption, generating a random AES key for each file. The AES key is then encrypted by a public RSA key, creating an “envelope” for secure file encryption. This process ensures that decryption requires the private RSA key held by the threat actors.

Ransom Note Details (cAcTuS.readme.txt):

After files are encrypted, they are appended with a unique extension, “.cts\d.” Cactus leaves a ransom note named “cAcTuS.readme.txt,” containing details on how victims can negotiate over Tox chat. Notably, no identified “shaming site” is associated with Cactus at this time, distinguishing it from other ransomware groups that publicly disclose victim data as a form of pressure.

No Identified “Shaming Site”:

As of the writing of this blog, there is no identified “shaming site” or victim identification-related blog associated with Cactus Ransomware. This differs from the tactics of some ransomware groups that publicly shame victims to increase pressure for ransom payments. The absence of such a site suggests a unique approach by the Cactus operators, making it challenging to predict their response if a ransom is not paid.

MITRE ATT&CK Mapping of Cactus Ransomware

Aligned Tactics and Techniques with MITRE ATT&CK Framework

Cactus Ransomware strategically aligns its tactics and techniques with the MITRE ATT&CK Framework, demonstrating a sophisticated understanding of cyber threat operations. The mapping illustrates how the ransomware group orchestrates its attacks across various stages of the cyber kill chain:

• Tactic: Exploit Public-Facing Application (T1190): Cactus gains initial access by exploiting documented vulnerabilities in VPN appliances, showcasing a keen understanding of weaknesses in public-facing applications.
• Tactic: Command and Scripting Interpreter (T1059): The ransomware employs PowerShell commands for internal scouting, emphasizing the use of scripting interpreters for reconnaissance and endpoint enumeration.
• Tactic: Scheduled Task (T1053.005): Cactus uses Scheduled Tasks for various purposes, including establishing SSH backdoor access, executing scripts, and ensuring persistence within the compromised environment.
• Tactic: Software Deployment Tools (T1072): The ransomware deploys legitimate remote access tools (Splashtop, AnyDesk, SuperOps RMM) and proxy tools (Chisel) for lateral movement and maintaining access.
• Tactic: Create Account (T1136): Cactus attempts to escalate privileges by creating new admin user accounts and manipulating registry settings, aligning with the “Create Account” tactic.
• Tactic: Credentials from Web Browsers (T1555.003): The ransomware extracts credentials from web browsers, demonstrating a focus on obtaining valuable information for lateral movement and privilege escalation.
• Tactic: System Network Connections Discovery (T1049): Cactus conducts internal scouting through tools like SoftPerfect Network Scanner, aligning with the tactic of discovering network connections within the compromised environment.
• Tactic: Remote Desktop Protocol (T1021.001): The use of Remote Desktop Protocol (RDP) for lateral movement aligns with the identified tactic, showcasing a strategic choice in accessing and controlling remote systems.
• Tactic: Exfiltration to Cloud Storage (T1567.002): Cactus utilizes tools like Rclone to automatically extract files to cloud storage, aligning with the tactic of exfiltrating data to external locations.
• Tactic: Data Encrypted for Impact (T1486): The encryption process employed by Cactus aligns with the tactic of encrypting data for impact, utilizing a combination of AES and RSA algorithms for efficient and secure file encryption.

Risk Mitigation Strategies for Cactus Ransomware

How to Prepare for Cactus Ransomware

Regular Patching of VPN Devices:

Ensure that VPN devices and appliances are regularly updated with the latest security patches. Regular patching helps eliminate known vulnerabilities and strengthens the overall security posture against potential exploitation.

Enhanced Password Management:

Implement and enforce robust password management practices. Encourage the use of complex, unique passwords, and consider the adoption of passphrase policies. Regularly update and rotate passwords to reduce the risk of unauthorized access through credential theft.

Monitoring and Logging PowerShell Activity:

Establish comprehensive monitoring and logging mechanisms for PowerShell activity. Regularly review logs to detect and respond to suspicious or anomalous PowerShell commands, which are commonly utilized by threat actors for reconnaissance and execution.

Account Auditing and Privilege Management:

Conduct regular audits of user accounts, particularly privileged accounts. Ensure that accounts have the minimum necessary privileges for their roles (principle of least privilege). Regularly review and revoke unnecessary privileges to limit the impact of potential credential compromise.

How to Mitigate the Risk of a Cactus Ransomware Attack

Multi-factor Authentication (MFA) Implementation:

Implement multi-factor authentication (MFA) across all relevant systems and services. MFA adds an extra layer of security, requiring users to provide additional verification beyond passwords. This significantly reduces the risk of unauthorized access even if credentials are compromised.

Review and Strengthen Backup Strategies:

• Regularly review and enhance backup strategies.
• Adopt air-gapped backups, keeping a separate, isolated copy of critical data offline to prevent ransomware from affecting backup integrity.
• Consider immutable backups, which are resistant to modification or deletion, providing an additional layer of protection.

Security Awareness Training:

Conduct regular security awareness training for employees to educate them about the evolving threat landscape. Equip users with the knowledge to recognize spear phishing attempts, social engineering, and other tactics employed by threat actors. A well-informed workforce contributes to a more resilient security environment.

Incident Response Planning:

Develop and regularly update an incident response plan. Ensure that the plan outlines clear steps for identifying, containing, eradicating, recovering, and analyzing security incidents. Conduct regular drills to test the effectiveness of the plan and refine it based on lessons learned.

Conclusion

In conclusion, Cactus Ransomware represents a significant threat, utilizing advanced tactics such as exploiting VPN vulnerabilities and employing unique encryption methods. The key takeaway is the critical importance of cybersecurity preparedness.

As cyber threats continue to evolve, organizations must adopt proactive measures, including regular patching, robust password management, and ongoing employee training. Incident response planning is paramount for effective mitigation in the event of an attack.

The cybersecurity landscape demands constant vigilance. Staying informed, updating defenses, and fostering collaboration within the cybersecurity community are essential practices for navigating the ever-changing threat landscape.