A new ransomware, dubbed Cactus, has been discovered taking advantage of vulnerabilities in VPN appliances for initial access. The ransomware operation has been active since March and is aiming for huge payouts. One of its most dangerous features, which makes it stand out, is that it encrypts itself to evade detection.
Aboput the attack campaign
According to an investigation by Kroll, the Cactus ransomware gains initial access through known vulnerabilities in Fortinet VPN appliances. The attacker uses a VPN server accessed via a VPN service account to infiltrate the system.
- The ransomware operator then employs a batch script to obtain the encryptor binary using 7-Zip.
- After extracting the binary, the original ZIP archive is removed and the binary is executed with a certain flag that allows it to run undetected.
- Additionally, there are three main execution modes, each chosen with a certain command-line switch: setup (-s), read configuration (-r), and encryption (-i).
Cactus' TTPs
After gaining access to the network, the ransomware establishes persistent access using a scheduled task and an SSH backdoor that can be reached from the C2 server. To identify potential targets, the ransomware uses SoftPerfect Network Scanner (netscan).
- For reconnaissance, the attacker uses PowerShell commands to list endpoints, spot user accounts by reviewing successful logins in the Windows Event Viewer, and ping remote hosts.
- Cactus ransomware makes use of a modified variant of the open-source PSnmap Tool - a PowerShell coequal of the Nmap network scanner.
- The ransomware tries different remote access methods via genuine tools, such as AnyDesk, Splashtop, and SuperOps RMM, with Cobalt Strike and Chisel, to launch various tools
- Post data exfiltration, the attackers utilize a PowerShell script (TotalExec) to automate the encryption process. The script is often spotted in BlackBasta attacks.
Conclusion
The self-encryption technique by Cactus ransomware operators is an indicator of how threat actors innovate to beat security checks with slight innovation. For that reason, organizations are urged to adopt a proactive defense strategy that includes applying the latest software updates, and always monitoring the network for data exfiltration tasks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d6d8_shutterstock_236681437.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2c4f_shutterstock_1757102030.jpg)
