Analysis Summary

Cactus ransomware is a sophisticated strain that first emerged in March 2023 and has since gained notoriety for targeting large commercial entities using a double-extortion approach. Unlike some ransomware families, Cactus does not have widely known aliases but is distinct for its self-encryption mechanism that helps evade detection by security software. The ransomware encrypts its own executable using batch scripts and 7-Zip, making it harder for antivirus tools to identify during deployment. Once inside a target network, the attackers use tools like SoftPerfect Network Scanner, PowerShell scripts, Splashtop, and AnyDesk to navigate laterally and maintain persistent access.

Initial access is typically gained by exploiting vulnerabilities in VPN appliances such as those from Fortinet, and software platforms like Qlik Sense. Cactus has shown a preference for targeting sectors such as manufacturing and professional services, with a strong geographic focus on the United States, which accounts for over half of its known attacks. A high-profile incident involving Cactus occurred in January 2024 when the group claimed responsibility for breaching Schneider Electric’s Sustainability Business division, alleging the theft of 1.5 terabytes of sensitive data.

The group behind Cactus ransomware has not been publicly identified, but their techniques and tooling suggest possible links to other ransomware gangs like Black Basta. This includes the use of similar remote administration tools and lateral movement strategies. Cactus continues to evolve and adapt its methods, demonstrating a high level of operational security and technical sophistication. As such, it poses a growing threat to organizations worldwide, particularly those with exposed remote services or insufficient network segmentation and monitoring.

Impact

• Sensitive Data Theft
• Operational Disruption
• Financial Loss

Indicators of Compromise

SHA1

• c8d100b8eb0ffe02c639d6a2a9128780d4e4b2db

• 531dcfc0420423b11a5ce6e14381725de902bc6c

• 20c2350d5dee7c06dfcd9d182bfa87a02ad8e275

• a2aac68296750c9299123611e4801b3e91b0747d

• 35cc167b4e9324e95f46016b1b74e8c261cc93a8

• 6f3a3aafcc0aa2ea944d2070c063ba003d0c6e34

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Disconnect infected devices from the internet and local networks immediately to prevent the ransomware from spreading.
• Do not pay the ransom, paying does not guarantee file recovery and may encourage further attacks.
• Use reputable antivirus or anti-malware software to detect and remove the ransomware from your system.
• Restore files from clean backups if available, ensure backups are not connected to the infected network during restoration.
• Update all software, operating systems, and firmware to their latest versions to patch known vulnerabilities.
• Implement network segmentation to limit the spread of ransomware within your organization.
• Conduct regular security audits and vulnerability assessments to identify and address potential security gaps.
• Implement strict user access controls, granting permissions based on the principle of least privilege.
• Develop and regularly update an incident response plan to effectively respond to ransomware attacks.
• Monitor network traffic for unusual activity that may indicate a ransomware infection.
• Regularly back up critical data and store backups offline or in a secure, isolated environment.