Cactus Ransomware: What You Need to Know

Cactus Ransomware is a newly identified and formidable threat targeting large commercial organizations. This strain has garnered attention due to its advanced evasion tactics against antivirus measures and its proficiency in exploiting known vulnerabilities within VPN appliances to gain initial access to networks. 

In this comprehensive article, we will explore the Cactus ransomware variant in detail, and provide information on the indicators of compromise (IOC) associated with the group’s activity. 

It’s essential to understand which industries the ransomware targets and have some insight into how it operates to improve your cybersecurity and ransomware defense. 

Cactus ransomware overview

In March 2023 experts get the first signs of Cactus ransomware. The threat emerged as it targeted high-profile organizations, leaving a trail of encrypted files and a distinctive “.CTS1” or “.CTS6” extension. Its evolution reflects an ongoing effort to stay ahead of security measures, making it particularly challenging to combat.

Cactus is classified as a multifaceted threat, falling into categories such as Ransomware, Crypto Virus, Files Locker, and engaging in double extortion. The group strategically targets VPN appliances, exploiting vulnerabilities for initial access. 

By encrypting files and demanding ransoms, besides the inclusion of double extortion tactics, involving the theft of sensitive data, the cybercriminals seek financial gain, with clearly monetary motivation.

Cactus ransomware employs unique and undisclosed encryption techniques. By encrypting its own code, the malware enhances its ability to elude antivirus and network monitoring tools. 

How to identify Cactus ransomware: Main IOCs

Indicators of compromise (IOCs) are pieces of forensic data that can help identify malicious activity or malware associated with a cyber attack. It includes the encryption extension, file hashes, and IP addresses, among other details cyber criminals leave as they infect a machine or system. 

Important: Some of these indicators require technical knowledge of the infected system, so you may need to contact your IT team or a digital forensics service provider.

Cactus ransomware-specific IOCs include:

File Extensions:

• .CTS1
• .CTS6

Ransom Note:

• Filename: cAcTuS.readme.txt

Detection Names:

• Avast: Win64:Trojan-gen
• Emsisoft: Generic.Ransom.Cactus.A.6A6CBCEA (B)
• Kaspersky: Trojan-Ransom.Win32.Cactus.d
• Sophos: Mal/Generic-S
• Microsoft: Ransom:Win32/Cactus.LKV!MTB

If you can’t identify the ransomware strain through its IOCs, you can use Proven Data’s free ransomware ID tool to check if the Cactus ransomware is the malware that encrypts your files.

How Cactus ransomware works

Understanding how Cactus ransomware operates is crucial for implementing effective preventive measures and developing strategies for mitigating its impact. In the following step-by-step description, we will delve into the intricacies of Cactus ransomware, shedding light on its infection vectors, encryption process, and the implications for affected systems and data. 

1. Initial Access

A Virtual Private Network (VPN) is a technology that establishes a secure and encrypted connection, or “tunnel,” between a user’s device and a remote server. The primary purpose of a VPN is to ensure the confidentiality and integrity of data transmitted over the Internet, especially when using public networks. 

Cactus ransomware gains entry into systems by exploiting vulnerabilities in Virtual Private Network (VPN) appliances.

VPN providers release updates to patch security vulnerabilities and improve overall performance. Regularly check for updates and apply them promptly.

2. Exploitation

Once inside the network, Cactus ransomware employs lateral movement, spreading across devices within the network. It takes advantage of weaknesses in network security, including weak passwords or unpatched software, to gain control over multiple machines.

3. Execution

Cactus utilizes several tools such as Chisel, Rclone, TotalExec, and Scheduled Tasks to carry out its malicious activities. These tools help the ransomware establish persistence on infected systems, ensuring it can continue its operations even after a system reboot.

4. Data Theft

Before initiating the encryption process, Cactus ransomware exfiltrates sensitive data from compromised systems. This stolen data is later used as leverage for further extortion or may be sold on underground forums.

5. Encryption

Cactus ransomware employs unique encryption techniques to encrypt the victim’s files. The specific encryption algorithm and method used by Cactus remain undisclosed. Notably, the ransomware encrypts its own code, enhancing its ability to evade detection by antivirus and network monitoring tools.

6. Ransom Note

After completing the encryption process, Cactus ransomware leaves a ransom note named “cAcTuS.readme.txt.” This note provides instructions on how victims can negotiate with the attackers, typically directing them to TOX chat, an encrypted messaging platform.

Important: Do not pay the ransom. Paying the ransom does not guarantee that you will get your data back, and it may encourage the attackers to continue their criminal activities. Check our in-depth article on what happens if you pay the ransom.

How to handle a Cactus ransomware attack

It is important to note that handling a ransomware attack can be complex and requires expertise. Therefore, it is recommended to seek professional help from a reputable data recovery service, such as Proven Data to help you recover your data and remove the ransomware from your system.

You can also report the attack to law enforcement agencies like the FBI and cybersecurity organizations to help prevent future attacks and catch the perpetrators.

We strongly recommend contacting cybersecurity services to handle ransomware attacks. Proven Data technicians not only retrieve ransomware-encrypted data but also create forensic reports and streamline incident response, minimizing your business downtime and financial loss.

How to prevent ransomware attacks

Preventing Cactus ransomware attacks is always the best cybersecurity tactic. If you are a recent victim, you must follow these tips to avoid a new ransomware attack:

Keep your software up to date

Regularly update your operating system and programs to uphold security standards. Reputable OS providers will consistently check their software for vulnerabilities and patch their security standards to protect against newly detected threats.

Use reputable antivirus software

Employ reputable antivirus software to bolster protection against malware significantly, and regularly check that it is updated. You can also check your network for vulnerabilities and learn where you need to improve your security system.

Be cautious of suspicious emails

Even though there are no known cases of Cactus using phishing as an attack method, it’s important to exercise caution when dealing with emails from unfamiliar or dubious origins. Refrain from opening files or clicking on links within emails that you are not expecting or seem suspicious.

Do not download cracked software

Cracked software is the term used to describe illicitly modified or pirated versions of commercial software, typically distributed without proper authorization or licensing. Cybercriminals frequently conceal their ransomware executables within cracked software distribution websites, leading users to unwittingly download and execute the malware.

Backup your data

Regularly back up your data to an external hard drive or cloud storage service to prevent complete data loss in case of a ransomware attack. A highly recommended strategy for data loss prevention is the 3-2-1 backup strategy.

The 3-2-1 backup strategy involves creating three total copies of your data: two on different media and one offsite, ensuring redundancy and protection against data loss. And at least one copy offsite to prevent loss due to natural disasters or other local incidents.

Educate yourself and your teams

Educate yourself and your employees about the risks of ransomware and how to avoid it, such as avoiding suspicious emails or downloads.

Consult cybersecurity professionals

Proven Data offers cyber security services to help you keep your data protected against threat actors. From vulnerability assessment to ensure your systems and servers do not have open doors for cyber attacks, to Incident Response (IR) services for immediate response in case of a successful attack.

We also have the option of managed detection and response (MDR) services that help organizations improve their security posture, minimize risk, and protect sensitive data and assets.