Unraveling the CACTUS Ransomware Group’s Recent Exploits

In recent cybersecurity news, a new CACTUS cyber attack has claimed two more victims, adding to their dark web portfolio. This time, the CACTUS ransomware group’s targeted organizations are Astro Lighting and Orthum Bau. 

The motive behind these attacks remains shrouded in mystery, with no discernible hacktivist agenda. However, despite the alleged CACTUS cyber attack, both companies appear to be operating without any visible signs of the cyber onslaught.

CACTUS cyber attack claims: A new player with old tactics!

The CACTUS ransomware group has been a prominent threat actor, leaving a trail of attacks in its wake over the past few months. 

Previously, The Cyber Express reported on their activities when they targeted five high-profile victims spanning different industries and regions globally. 

The affected entities included Seymours, Groupe Promotrans, MINEMAN Systems, Maxxd Trailers, and Marfrig Global Foods.

Since March 2023, the CACTUS ransomware group has been employing a multifaceted approach to infiltrate networks. 

Their initial access often exploits documented vulnerabilities in VPN appliances. Once inside, the threat actors meticulously enumerate local and network user accounts and identify reachable endpoints. 

Custom scripts come into play, automating the deployment and detonation of the ransomware decryptor via scheduled tasks.

To verify the authenticity of the alleged CACTUS cyber attack, The Cyber Express reached out to both affected companies. Astro Lightening has responded to us, “We recently identified and contained an IT security incident which caused some minor disruption to our business operations. The matter has now been successfully contained. Astro takes its information security obligations extremely seriously. At this time, Astro has no further comment to make.”.

CACTUS ransomware group’s unique encryption techniques

One of the standout features of CACTUS’ ransomware encryptor is its novel execution method. It necessitates a decryption key, a safeguard likely put in place to evade detection by anti-virus software. 

This key is concealed within a file named ntuser.dat, containing random text and loaded via a scheduled task. The CACTUS ransomware group employs a diverse set of tactics, techniques, and procedures (TTPs) to carry out their attacks.

This includes leveraging tools like Chisel, Rclone, TotalExec, Scheduled Tasks, and custom scripts to bypass security measures and distribute the ransomware binary. Notably, they have been observed using a file named ntuser.dat within C:\ProgramData to pass an AES key for persistent execution via Scheduled Tasks.

In May 2023, it was revealed that CACTUS had been exploiting known vulnerabilities in VPN appliances to gain initial access to targeted networks. This method involves setting up an SSH backdoor for persistent access and executing PowerShell commands for network scanning.

A systematic sequence of steps characterizes the CACTUS cyber attack. They make use of tools like Cobalt Strike and Chisel for command and control, alongside remote monitoring and management (RMM) software like AnyDesk. Their tactics include disabling security solutions, extracting credentials, and privilege escalation, culminating in data exfiltration and ransomware deployment.

The Cyber Express is closely monitoring developments in this story. Updates will be provided as soon as more information surfaces about this cyber attack or if any official statements or responses are received from the affected organizations.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.