HQ/EMEAFind out how we can help your business
The Cactus ransomware operators have been exploiting vulnerabilities in VPN appliances to acquire initial access. The ransomware operation has been an ongoing threat since earlier this year, and it shows that it is a financially motivated campaign. The researchers noted that this ransomware encrypts itself to bypass security detections.
Based on reports, the ransomware operation could gain initial access through a known flaw in Fortinet VPN appliances. The adversaries utilise a VPN server accessed through a VPN service account to breach the targeted system.
Subsequently, the attackers employ a batch script to acquire the encryptor binary using 7-ZIP. The method then removes the original ZIP file and executes the binary with a flag that allows it to operate undetectably after extracting the binary.
The three primary execution modes will each choose a certain command-line switch like setup (-s), read configuration (-r), and encryption (-i).
The Cactus ransomware operators use a scheduled task to establish persistence on its targeted device.
According to investigations, the Cactus ransomware could establish persistence by accessing scheduled tasks and an SSH backdoor that could reach the command-and-control server after gaining access to the targeted network. The ransomware then uses the SoftPerfect Network Scanner to identify potential targets.
The attacker also utilises the PowerShell command to list endpoints and identify user accounts by reviewing logins in the Windows Event Viewer for reconnaissance procedures. The strategy could also ping the ransomware operators.
The Cactus ransomware campaign has also used a modified variant of the PSnmap open-source tool. A separate researcher also revealed that the ransomware tries several remote access methods through legitimate tools, such as Splashtop, AnyDesk, and SuperOps RMM, with chisel and Cobalt Strike, to deploy various malicious tools.
Lastly, the attackers use a PowerShell script that automates the encryption process during the post-data exfiltration.
Cactus ransomware’s self-encryption strategy implies that the threat actors have innovative methods that could bypass security checks and infect more targets. Organisations should adopt a more proactive approach that includes the latest software updates. The researchers also suggest that potential targets should constantly monitor their network and identify exfiltration tasks.
