Cactus Ransomware: What You Need To Know

What is the Cactus ransomware?

Cactus is a ransomware-as-a-service (RaaS) group that encrypts victim’s data and demands a ransom for a decryption key.

Hundreds of organisations have found themselves the victim of Cactus since it was first discovered in March 2023, with their stolen data published on the dark web as an “incentive” to give in to the extortionists’ demands.

So far, so sadly normal. What makes Cactus different?

Cactus made a name for itself by exploiting vulnerabilities in VPN appliances to gain access to corporate networks and encrypting its own code in an attempt to avoid detection by anti-virus products. 

More recently researchers have uncovered possible connections between Cactus and the Black Basta ransomware group. 

Both Cactus and the Black Basta have made use of the BackConnect module, a type of malware used by hackers to gain and maintain persistent control over compromised systems, suggesting an overlap between the two gangs. 

Researchers have observed Cactus ransomware attackers using BackConnect to steal sensitive data such as login credentials, financial data, and personal information. In addition, research released by Trend Micro reveals that both Cactus and Black Basta have used the same social engineering trick of flooding workers’ email inboxes with thousands of emails. 

The hackers would then make a voice call to the user suffering the email bombardment, claiming to work for the company’s IT helpdesk, and offering to resolve the problem. 

The user is then socially engineered into agreeing to grant the hacker remote access to their computer, allowing the attacker to run malicious code.

Nasty. How will I know if my computers have been hit by Cactus ransomware?

Once Cactus has infected a PC, it will attempt to uninstall anti-virus software, hunt for potential targets for infection, and use a variety of techniques to steal information and files before they are encrypted. 

After files have been exfiltrated and encrypted, a ransom note is posted on the victim’s computer with the filename “cAcTuS.readme.txt” 

Encrypted files can be identified easily as their extensions will have been changed to .cts1 or .cts7.

Who has fallen victim to the Cactus ransomware?

Victims of the Cactus ransomware in the past have included energy management and automation giant Schneider Electric, and the Housing Authority of the City of Los Angeles (HACLA). 

The Black Basta ransomware group has impacted a wide range of organisations, with the FBI warning last year about the threat it posed to hospitals after some were forced to turn away ambulances following an attack. 

So how can my company protect itself from Cactus? 

The best advice is to follow the recommendations on how to protect your organisation from other ransomware. Those include:

• Making secure offsite backups.
• Running up-to-date security solutions and ensuring that your computers and network devices are properly configured and protected with the latest security patches against vulnerabilities.
• Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
• Encrypting sensitive data wherever possible.
• Reducing the attack surface by disabling functionality that your company does not need.
• Educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.