Analytics Story: Cactus Ransomware

Description

Cactus ransomware is a sophisticated ransomware-as-a-service (RaaS) operation that emerged in March 2023, targeting large enterprises across various industries including finance, manufacturing, IT, and healthcare. The malware is known for its self-encrypting payload, double extortion tactics, and use of living-off-the-land techniques. Cactus operators employ a combination of legitimate remote access tools and malicious frameworks to maximize damage, often using custom encryption techniques and sophisticated persistence mechanisms.

Why it matters

Cactus ransomware represents a significant threat to enterprise environments due to its sophisticated attack chain and use of legitimate system tools. The attack typically begins with initial access through compromised credentials or exploited vulnerabilities. Once inside the network, Cactus operators use legitimate remote access tools like AnyDesk and Splashtop, combined with malicious frameworks like Cobalt Strike and Brute Ratel for privilege escalation and lateral movement. The ransomware employs a sophisticated set of techniques to ensure successful encryption and prevent recovery. It begins by deleting volume shadow copies using WMIC commands to prevent system recovery, followed by the use of PowerShell scripts to modify system settings and disable security tools. The malware establishes persistence through the creation of scheduled tasks and registry keys, while leveraging legitimate Windows tools (LOLBins) for execution and evasion. Before encryption, Cactus operators exfiltrate data using tools like Rclone and MegaSync to support their double extortion strategy. Several high-profile organizations have fallen victim to Cactus ransomware attacks. In January 2024, Schneider Electric experienced a significant disruption to their Sustainability Business division. The Housing Authority of the City of Los Angeles suffered a breach in November 2024 that compromised sensitive information. CIE Automotive, a prominent automotive supplier, was targeted in August 2023. Most recently, in April 2024, Cactus operators exploited vulnerabilities in Qlik Sense servers (CVE-2023-41265 and CVE-2023-41266) to gain unauthorized access to corporate networks. The ransomware uses AES-RSA hybrid encryption to lock files, appending .cts or .cactus extensions to encrypted files. After completing the encryption process, it drops a ransom note in each affected directory and attempts to delete itself using CMD commands with delayed execution. This sophisticated approach to file encryption and cleanup makes Cactus a particularly challenging threat to detect and remediate.

Detections

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 13	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688	Windows	XmlWinEventLog	XmlWinEventLog:Security
Sysmon EventID 1	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2	Other	crowdstrike:events:sensor	crowdstrike
Suricata	Other	suricata	not_applicable
Sysmon EventID 18	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 3	Windows	XmlWinEventLog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Cisco Network Visibility Module Flow Data	Network	cisco:nvm:flowdata	not_applicable
Windows Event Log Security 4698	Windows	XmlWinEventLog	XmlWinEventLog:Security

References

• https://attack.mitre.org/techniques/T1490/
• https://any.run/malware-trends/cactus

Source: GitHub | Version: 2