• Wed. Oct 11th, 2023

New Self-Encrypting Cactus Ransomware Hides From Antivirus 

Avatar photo

ByDavid Brown

Jul 3, 2023
Cactus Ransomware Evades Antivirus Detection
David Brown

Since at least March, the Cactus ransomware operation has been operating, and it expects hefty payments from its targets. The new threat actor used the standard file encryption and data stealing techniques used in ransomware attacks, but it additionally included its own twist to avoid being noticed.

Twist in encrypted configuration

Researchers from the corporate investigative and risk consulting firm Kroll have discovered that the Cactus ransomware accesses target networks by taking advantage of well-known flaws in Fortinet VPN equipment. In order to avoid detection, Cactus distinguishes itself from other ransomware by encrypting its binary. 

Setup, read configuration, and encryption are its three primary modes of operation. Cactus needs a special AES key to encrypt files, and this key is hardcoded in the encryptor program as a HEX string. Cactus may operate in “quick mode,” which encrypts the same file twice and adds a new extension after each procedure, and utilizes different extensions for the files it targets based on the processing status. 

Ransomware Cactus TTPs

It is thought that Fortinet VPN equipment’ security flaws are how the Cactus ransomware first gains access to target networks. The attacker employs many modes of operation, including establishing persistence and storing data, to secure the ransomware binary with encryption. The malware alters file extensions and has two different encryption options: a rapid pass and a complete encryption. 

For remote access, privilege escalation, and data exfiltration, Cactus additionally employs a variety of instruments and techniques. Although it is unclear whether the hackers have a leak site, they are demanding millions in ransom. Software upgrades, data leakage monitoring, and swift malware infection responses are all ways that organizations may safeguard themselves.

 
Avatar photo

David Brown

With years of expertise in the field, i am bring a wealth of knowledge and insights to our platform. Our editor’s extensive research and understanding of the drug landscape ensure that their content is accurate, informative, and engaging.