CACTUS Ransomware Strikes Large Enterprises

Category: Ransomware News | Industry: Global | Level: Tactical | Source: Kroll

A new ransomware strain recognized as "CACTUS" emerged in March 2023, targeting large enterprises. Researchers from Kroll Cyber Threat Intelligence provide an in-depth report of tactics, techniques, and procedures (TTPs) demonstrated by the CACTUS operators in their recent attacks. Kroll's investigation of CACTUS notes "an overlapping set of TTPs. These include the use of tools such as Chisel, Rclone, TotalExec, Scheduled Tasks, and custom scripts to disable security software to distribute the ransomware binary." CACTUS operators have favored the exploitation of a VPN vulnerability as their initial point of entry. " In all cases observed, the threat actor’s access was obtained from a VPN server with a VPN service account," said Kroll.

Following access through VPN exploitation, the operators would set up an SSH backdoor and maintain persistence with a scheduled task. Activity directory and system reconnaissance were then initiated to identify network targets. An abundant amount of persistence was observed through the installation of remote access software like AnyDesk, and SuperOps RMM in addition to command and control tools such as Chisel and Cobalt Strike. Security monitoring appliances like Bitdefender were removed using msiexec. Credentials from LSASS and browsers were gathered in order to conduct lateral movement. Adding to the copious amount of persistence already demonstrated, further additions were implemented through a new admin-level user account and registry modifications. Data of interest to the attackers is exfiltrated using Rclone. Kroll also observed CACTUS operators using a script similar to Black Basta ransomware aiding in the deployment of their ransomware. "The ransomware encryptor is novel in that it requires a key to decrypt the binary for execution, likely to prevent detection via anti-virus software. The key is provided within a file containing random text named ntuser.dat which is loaded via a scheduled task."

Anvilogic Scenario:

• Schtask/Recon Lead to Tool Install/Data Theft/Persistence/RDP

Anvilogic Use Cases:

• Remote Access Software Execution
• Stored Credentials from Web Browsers - Windows
• Rclone Execution

‍