Analytics Story: Cactus Ransomware

Date: 2025-03-18 ID: 4798d58a-9191-461f-bec1-467a87e245a0 Author: Michael Haag, AJ King, Splunk Product: Splunk Enterprise Security

Description

Cactus ransomware is a sophisticated ransomware-as-a-service (RaaS) operation that emerged in March 2023, targeting large enterprises across various industries including finance, manufacturing, IT, and healthcare. The malware is known for its self-encrypting payload, double extortion tactics, and use of living-off-the-land techniques. Cactus operators employ a combination of legitimate remote access tools and malicious frameworks to maximize damage, often using custom encryption techniques and sophisticated persistence mechanisms.

Why it matters

Cactus ransomware represents a significant threat to enterprise environments due to its sophisticated attack chain and use of legitimate system tools. The attack typically begins with initial access through compromised credentials or exploited vulnerabilities. Once inside the network, Cactus operators use legitimate remote access tools like AnyDesk and Splashtop, combined with malicious frameworks like Cobalt Strike and Brute Ratel for privilege escalation and lateral movement. The ransomware employs a sophisticated set of techniques to ensure successful encryption and prevent recovery. It begins by deleting volume shadow copies using WMIC commands to prevent system recovery, followed by the use of PowerShell scripts to modify system settings and disable security tools. The malware establishes persistence through the creation of scheduled tasks and registry keys, while leveraging legitimate Windows tools (LOLBins) for execution and evasion. Before encryption, Cactus operators exfiltrate data using tools like Rclone and MegaSync to support their double extortion strategy. Several high-profile organizations have fallen victim to Cactus ransomware attacks. In January 2024, Schneider Electric experienced a significant disruption to their Sustainability Business division. The Housing Authority of the City of Los Angeles suffered a breach in November 2024 that compromised sensitive information. CIE Automotive, a prominent automotive supplier, was targeted in August 2023. Most recently, in April 2024, Cactus operators exploited vulnerabilities in Qlik Sense servers (CVE-2023-41265 and CVE-2023-41266) to gain unauthorized access to corporate networks. The ransomware uses AES-RSA hybrid encryption to lock files, appending .cts or .cactus extensions to encrypted files. After completing the encryption process, it drops a ransom note in each affected directory and attempts to delete itself using CMD commands with delayed execution. This sophisticated approach to file encryption and cleanup makes Cactus a particularly challenging threat to detect and remediate.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Remote Access Software Hunt Remote Access Tools Hunting
Access LSASS Memory for Dump Creation LSASS Memory TTP
Creation of lsass Dump with Taskmgr LSASS Memory TTP
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Detect Remote Access Software Usage FileInfo Remote Access Tools Anomaly
Detect Remote Access Software Usage Process Remote Access Tools Anomaly
Detect Remote Access Software Usage Registry Remote Access Tools Anomaly
Detect Renamed PSExec Service Execution Hunting
Detect Renamed RClone Automated Exfiltration Hunting
Disable Defender AntiVirus Registry Disable or Modify Tools TTP
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
DLLHost with no Command Line Arguments with Network Process Injection TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Rundll32 with no Command Line Arguments with Network Rundll32 TTP
SearchProtocolHost with no Command Line with Network Process Injection TTP
Suspicious DLLHost no Command Line Arguments Process Injection TTP
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows WMI Process Call Create Windows Management Instrumentation Hunting
Windows WMIC Shadowcopy Delete Inhibit System Recovery Anomaly
Suspicious Process DNS Query Known Abuse Web Services Visual Basic TTP
Suspicious Process With Discord DNS Query Visual Basic Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1