A new ransomware has been detected known as Cactus. It has the capabilities of exploiting vulnerabilities in Virtual Private Network (VPN) appliances for access to networks for enterprise level operations.
This ransomware was lately found active in the month of March where its main objective is to extract as much as possible from its victims. It consists of the usual ransomware tactics such as file encryption and data theft but was also able to evade any kind of detection from antiviruses.
It is believed that the Cactus ransomware obtains initial access into a target`s network by finding and exploiting any known VPN vulnerabilities in Fortinet appliances. This has been observed in the attacks that have occurred thus far by attacking a VPN server with a VPN service account.
The difference with Cactus compared to other ransomware is the use of encryption to protect the ransomware binary. It uses a batch script to obtain the encryptor binary using 7-Zip. The original ZIP archive is removed, and the binary is deployed with a specific flag that allows it to execute. This process is unusual but effective to avoid the detection of the ransomware encryptor.
A technical report was produced, investigators from Kroll explains that there are three main modes of execution, each one selected with the use of a specific command line switch. They are known as; setup (-s), read configuration (-r), and encryption (-i). The-sand-rarguments allow the threat actors to setup persistence and store data in aC:ProgramData
tuser.datfile that is later read by the encryptor when running with the-rcommand line argument.
A unique AES key known only to the attackers must be provided using the-icommand line argument. This key is necessary to decrypt the ransomware”s configuration file and the public RSA key needed to encrypt files. It is available as a HEX string hardcoded in the encryptor binary. Decoding the HEX stringprovides a piece of encrypted data that unlocks with the AES key. Running the binary with the correct key for the-i(encryption) parameter unlocks the information and allows the malware to search for files and start a multi-thread encryption process.
When preparing a file for encryption, Cactus changes its extension to . CTS0. After encryption, the extension becomes . CTS1. Once in the network, the threat actor uses a scheduled task for persistent access using an SSH (Secure Shell) backdoor reachable from its command and control (C2) server. The attacker can also use PowerShell commands to enumerate endpoints, identify user accounts by viewing successful logins in Windows Event Viewer, and ping remote hosts.
Investigators also found that Cactus ransomware used a modified variant of theopen-source PSnmapTool, which is a PowerShell equivalent of thenmapnetwork scanner. Cactus ransomware tries multiple remote access methods through legitimate tools (e.g., Splashtop, AnyDesk, SuperOps RMM) along with Cobalt Strike and the Go-based proxy toolChisel.
Kroll investigators say that after escalating privileges on a machine, Cactus operators run a batch script that uninstalls the most used antivirus products. Like most ransomware operations, Cactus steals data from the victim. For this process, the threat actor uses the Rclone tool to transfer files straight to cloud storage. After exfiltrating data, the cybercriminals used a PowerShell script called TotalExec, often seen in BlackBasta ransomware attacks,to automate the deployment of the encryption process.
At the time of this report, it is unknown about the ransom that Cactus demands but is rumored to be in the millions while threatening victims to publish stolen files.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Cactus Ransomware Encrypts itself to evade Antivirus.pdf