Cybersecurity Snapshots - Cactus Ransomware
By aekwall
A new ransomware group called Cactus has been active since at least March and is looking for big payouts from its victims. In July, Cactus published 18 victims to their leak site. Security researchers at Kroll stated that Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances.
The researchers stated that they use encryption to protect the ransomware binary, which sets Cactus apart from other ransomware groups. The actor uses a batch script to obtain the encryptor binary using 7-Zip. The original ZIP archive is removed, and the binary is deployed with a specific flag that allows it to execute. The entire process is unusual, and the researchers noted that this is to prevent the detection of the ransomware encryptor. During the researchers’ investigation into the ransomware, the researchers discovered that there are three main modes of execution, each one selected with the use of a specific command line switch: setup (-s), read configuration (-r), and encryption (-i). The researchers noted that the -s and -r arguments allow the threat actors to set up persistence and store data in a C:\ProgramData\ntuser.dat file that is later read by the encryptor when running with the -r command line argument. The researchers stated that for the file encryption to be possible, a unique AES key known only to the attackers must be provided using the -i command line argument.
Ransomware expert Michael Gillespie also analyzed Cactus and found that it uses multiple extensions for the files it targets, depending on the processing state. Gillespie noted that when preparing a file for encryption, Cactus changes its extension to .CTS0. After encryption, the extension becomes .CTS1. Gillespie stated that Cactus also has a "quick mode," akin to a light encryption pass. Running the malware in quick and normal mode consecutively results in encrypting the same file twice and appending a new extension after each process.
According to the Kroll researchers, once in the network, Cactus used a scheduled task for persistent access using an SSH backdoor reachable from the Command and Control (C2) server. Cactus relied on SoftPerfect Network Scanner (netscan) to look for interesting targets on the network. For deeper reconnaissance, the researchers noted that the attacker used PowerShell commands to enumerate endpoints, identify user accounts by viewing successful logins in Windows Event Viewer, and ping remote hosts. The researchers also found that Cactus ransomware used a modified variant of the open-source PSnmap Tool, which is a PowerShell equivalent of the nmap network scanner. To launch various tools required for the attack, the researchers stated that Cactus ransomware tries multiple remote access methods through legitimate tools such as Splashtop, AnyDesk, SuperOps RMM, Cobalt Strike, and the Go-based proxy tool Chisel. After escalating privileges on a machine, Cactus operators run a batch script that uninstalls the most commonly used antivirus products. The researchers noted that, like most ransomware operations, Cactus also steals data from the victim. For this process, the threat actor uses the Rclone tool to transfer files straight to cloud storage. The researchers explained that after exfiltrating data, the hackers used a PowerShell script called TotalExec, often seen in BlackBasta ransomware attacks, to automate the deployment of the encryption process.
Extensive details about the Cactus operation, the victims they target, and whether the hackers keep their word and provide a reliable decryptor if paid are not available because they are such a new ransomware group. The researchers noted that what is clear is that the hackers' incursions so far likely leveraged vulnerabilities in Fortinet VPN appliances and followed the standard double-extortion approach by stealing data before encrypting it. The researchers noted that applying the latest software updates for the Fortinet VPN appliances, monitoring the network for large data exfiltration tasks, and responding quickly will help protect organizations from a ransomware attack's final and most damaging stages.
To see previous articles, please visit the Cybersecurity Snapshots Archive.