The Cyber Threat Intelligence team at Kroll risk consultation and corporate investigation firm has disclosed their findings on a brand-new ransomware strain dubbed CACTUS. This ransomware strain is leveraging known vulnerabilities in VPNs to infiltrate targeted networks.
Reportedly, CACTUS ransomware operators target large-scale commercial organizations with double extortion to steal sensitive data before encryption.
Self-Encrypting CACTUS Ransomware Operation Details
In all the incidents Kroll researchers assessed, the hacker used a VPN server and gained access with a VPN service account. However, CACTUS is different from other operations because it protects its ransomware binary with encryption.
The attacker uses a batch script using 7-Zip to obtain the encryptor binary. It removes the original ZIP archive and deploys the binary with a specific flag to be executed. This process prevents the CACTUS ransomware encryptor from getting detected.
Known VPN Flaws Leveraged for Network Access
The operation was launched in March and is financially motivated as researchers believe the attackers want big payouts from their targets. The CACTUS ransomware obtains initial access to the network by exploiting already-known flaws in Fortinet VPN tools.
It successfully exploits vulnerable VPN devices and sets up an SSH backdoor to maintain persistence using a series of PowerShell commands executed to carry out network scanning and detect a list of devices worth encrypting.
How is it Executed?
There are three modes of execution each of which is selected using a specific command line switch-
- Setup (-s)
- Read configuration (-r)
- Encryption (-i)
The -S and -R arguments let the threat actors maintain persistence and save data in a file (C:\ProgramData\ntuser.dat), which the encryptor reads when running the -r argument. Encryption is performed using a unique AES key, which only the attackers know. This key is obtained using the -i command argument. This key is essential for decrypting ransomware’s configuration files. The public RSA key, available as a hardcoded HEX string in the encryptor binary, is required for file encryption.
What Happens After Network Infiltration?
CACTUS operators enumerate network and local user accounts, create new user accounts, and leverage custom scripts to automate the deployment/detonation of the CACTUS ransomware encryptor through scheduled tasks.
In their report, researchers observed sensitive data exfiltration and victim extortion over the Tor messaging service. However, so far, they haven’t discovered any data leak site of the actor.
Attackers use Cobalt Strike and Chisel tunnelling tools for establishing C2 communication. They can uninstall/disable security solutions and extract credentials stored in web browsers and LASS (local security authority subsystem service) for privilege escalation.
They can move laterally to multiple systems and deploy legit remote monitoring and management (RMM) tools such as AnyDesk for achieving persistence on their exploited network, deploy ransomware with TotalExec.ps1 script previously used by Black Basta ransomware operators, and exfiltrate data using Rclone tool. The entire infection chain takes 3 to 5 days to complete.
Why CACTUS?
The name CACTUS is derived from a filename mentioned in the ransom note- cAcTuS.readme.txt. Moreover, all encrypted files are appended with .cts1, but Kroll researchers noted that this number at the end of the extension varies across victims and incidents.