Cactus Ransomware Dissection
Share this:
A new ransomware group dubbed Cactus targeting vulnerabilities in VPN appliances. It has unique characteristics that encrypt itself to avoid detection by security software.
The ransomware is believed to have first been deployed in March. The ransomware targets known vulnerabilities in Fortinet VPN appliances to gain access .
Cactus goes through the regular ransomware steps – spreading through a targeted network, stealing and encrypting files as it goes along, but its obfuscation technique is what makes it interesting compared to various forms of ransomware before it.
The attackers gained their initial foothold on a VPN appliance using a service account, and they then deployed an SSH backdoor that connected back to their C2 server and was executed via a scheduled task.
Network reconnaissance is conducted using a commercial Windows network scanner made by SoftPerfect. Additional PowerShell commands and scripts were used to enumerate computers on the network and extract user accounts from the Windows Security event log. Another PowerShell-based network scanning script called PSnmap.ps1 has also been observed in some cases.
The group then dumps LSASS credentials and searches for local files that might contain passwords to identify accounts that could allow them to jump to other systems via RDP and other methods. To maintain persistence on the systems they compromised, the attackers deploy RMM tools like Splashtop, AnyDesk, and SuperOps, as well as the Cobalt Strike implant or the Chisel SOCKS5 proxy.
Cactus use a batch script to obtain the encryptor binary using 7-Zip, avoiding detection by antivirus and other security tools. The original ZIP archive is then removed, and the binary is deployed with a specific flag that allows it to execute.
The ransomware binary has three execution modes based on the flags passed to it. setup, configuration and encryption. In setup mode it will create a file called C:\ProgramData\ntuser.dat that is filled with encrypted configuration data for the ransomware. It then creates a scheduled task that executes the ransomware.
Once executed with the encryption flag, the ransomware binary will extract and decrypt a hardcoded RSA public key. It then starts generating AES keys for file encryption, and those keys are then encrypted with the RSA public key.
The process leverages the envelope implementation from the OpenSSL library, meaning the resulting encrypted file will also contain the encrypted AES key that was used to encrypt the file. To recover the AES key, the user needs the private RSA key, which is in the attackers’ hands.
Cactus’s attempts to remain unseen do not stop there, however. The ransomware also deploys a batch script that removes the most commonly used antivirus products as well.
Encrypted files are appended with a .cts1, the number at the end of the extension, has been observed to vary across incidents and victims.
The stolen data is transferred using the Rclonbe tool, Cactus has not set up a leak site. Whereas ransomware operators typically direct victims to a leak site for more information, the ransom note from Cactus asks victims to contact them by email or a backup chat service to recover their files and prevent data disclosure.
