What is the Cactus ransomware?
Cactus is a ransomware-as-a-service (RaaS) group that encrypts victims’ data and demands a ransom for a decryption key. Since it was first discovered in March 2023, hundreds of organizations have been victims of Cactus, and their stolen data has been published on the dark web as an “incentive” to give in to the extortionists’ demands.
So far, so sadly typical. What makes Cactus different?
Cactus made a name for itself by exploiting vulnerabilities in VPN appliances to gain access to corporate networks and encrypting its code to avoid detection by anti-virus products.
Researchers have recently uncovered possible connections between Cactus and the Black Basta ransomware group. Both Cactus and the Black Basta have used the BackConnect module, a type of malware used by hackers to gain and maintain persistent control over compromised systems. This suggests an overlap between the two gangs.
Researchers have observed Cactus ransomware attackers using BackConnect to steal sensitive data such as login credentials, financial data, and personal information.
In addition, research released by Trend Micro reveals that both Cactus and Black Basta have used the same social engineering trick of flooding workers’ email inboxes with thousands of emails.
The hackers would then call the user suffering from the email bombardment, claiming to work for the company’s IT helpdesk and offering to resolve the problem. The user is then socially engineered into agreeing to grant the hacker remote access to their computer, allowing the attacker to run malicious code.
Nasty. How will I know if my computers have been hit by Cactus ransomware?
Once Cactus has infected a PC, it will attempt to uninstall anti-virus software, hunt for potential targets for infection, and use various techniques to steal information and files before they are encrypted.
After files have been exfiltrated and encrypted, a ransom note with the filename “cAcTuS.readme.txt” is posted on the victim’s computer.
Encrypted files can be identified easily as their extensions will have been changed to .cts1 or .cts7.
Who has fallen victim to the Cactus ransomware?
In the past, victims of the Cactus ransomware have included energy management and automation giant Schneider Electric and the Housing Authority of the City of Los Angeles (HACLA).
The Black Basta ransomware group has impacted a wide range of organizations. Last year, the FBI warned about the threat it posed to hospitals after some were forced to turn away ambulances following an attack.
So how can my company protect itself from Cactus?
The best advice is to follow the recommendations on protecting your organization from other ransomware. Those include:
- Making secure offsite backups.
- Running up-to-date security solutions and ensuring that your computers and network devices are properly configured and protected with the latest security patches against vulnerabilities.
- Using hard-to-crack unique passwords to protect sensitive data and accounts and enable multi-factor authentication.
- Encrypting sensitive data wherever possible.
- Reducing the attack surface by disabling functionality that your company does not need.
- Educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
