Cactus Ransomware Develops New Tactic to Outsmart Antivirus Software by Encrypting Itself

Cactus Ransomware Develops New Tactic to Outsmart Antivirus Software by Encrypting Itself

Reading time: 2 min

  • Ari Denial

    Written by Ari Denial Cybersecurity & Tech Writer

According to a report by Kroll, cybersecurity researchers have identified a new strain of ransomware called CACTUS that uses known vulnerabilities in VPN appliances to infiltrate targeted networks. Once inside, the ransomware attempts to identify local and network user accounts and endpoints before creating new user accounts and deploying the ransomware encryptor using custom scripts and scheduled tasks.

Kroll investigators have reported that the Cactus ransomware uses encryption to protect its binary and prevent detection. The ransomware uses a batch script to extract the binary with 7-Zip and deploy it with a specific flag for execution.

Kroll researchers have revealed that the Cactus ransomware evades detection and bypasses antivirus and network monitoring tools by using a unique AES key that is hardcoded into its binary. The ransomware has three execution modes and uses the AES key to decrypt the configuration file and RSA key required for file encryption.

Running the binary with the correct key for the -i encryption parameter enables the ransomware to start a multi-thread encryption process and search for files. A diagram has been created by Kroll to demonstrate how the Cactus ransomware binary executes depending on the selected parameter.

According to ransomware expert Michael Gillespie, the Cactus ransomware uses multiple file extensions depending on the processing state of the file. Before encryption, the extension is changed to .CTS0, and after encryption, it becomes .CTS1. Cactus also has a quick mode, which results in the same file being encrypted twice and appending a new extension after each process. In various incidents involving the Cactus ransomware, Kroll has noticed that the number at the end of the .CTS extension differs.

A threat actor gained access to a network and maintained persistent access through an SSH backdoor connected to a command and control (C2) server. The attacker used SoftPerfect Network Scanner to find targets, PowerShell commands to gather information, and a modified version of PSnmap Tool for deeper reconnaissance.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...