"New Cactus Ransomware Encrypts Itself to Evade Antivirus"

Cactus, a new ransomware operation, has been exploiting Virtual Private Network (VPN) appliance vulnerabilities to gain initial access to the networks of "large commercial entities." The Cactus ransomware operation has been active since at least March and seeks significant payments from its victims. Although the new threat actor used the standard ransomware techniques of file-encrypting and data theft, it added a unique twist to avoid detection. Researchers at the corporate investigation and risk consulting company Kroll suspect that Cactus exploits known vulnerabilities in Fortinet VPN appliances to gain initial access to victim networks. The assessment is based on the observation that the hacker pivoted inside from a VPN server using a VPN service account in all incidents observed. Cactus is different from other operations because of its use of encryption to protect the ransomware binary. The threat actor behind Cactus uses a batch script to get the encryptor binary using 7-Zip. The original ZIP archive is removed, and the binary is launched with a specific execution flag. This article continues to discuss researchers' findings regarding the new Cactus ransomware operation. 

Bleeping Computer reports "New Cactus Ransomware Encrypts Itself to Evade Antivirus"