Cybersecurity researchers have described a new type of ransomware called CACTUS that was discovered to take advantage of known weaknesses in VPN equipment to gain early access to targeted networks.
“Once on a network, CACTUS actors try to enumerate local and network user accounts as well as reachable endpoints before creating new user accounts and leverage custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks,” Kroll said in a report. shared with The Hacker News.
The ransomware has been observed targeting large commercial entities since March 2023, with attacks using double extortion tactics to steal sensitive data before encryption. No data leak sites have been identified to date.
After successfully exploiting a vulnerable VPN device, an SSH backdoor is set up to maintain persistent access and a series of PowerShell commands are executed to perform a network scan and identify a list of machines for encryption.
The CACTUS attack also takes advantage Cobalt Attack and the tunneling tool is called as Chisel for command-and-control, alongside remote monitoring and management (RMM) software such as AnyDesk to push files to infected hosts.
Also steps were taken to disable and remove the security solution and extract credentials from web browsers and the Local Security Authority Subsystem Service (LSASS) to escalate privileges.
A new aspect of CACTUS is the use of a batch script to extract the ransomware binary with 7-Zip, followed by deleting the .7z archive before running the payload.
“CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, associate managing director for cyber risk at Kroll, told The Hacker News.
“This new ransomware variant under the name CACTUS exploits vulnerabilities in popular VPN tools, demonstrating continued threat actors are targeting remote access services and unpatched vulnerabilities for early access.”
The development comes days after Trend Micro described another type of ransomware known as Rapture that it shares some similarities with other families such as Heaven.
“The entire chain of infection lasts three to five days at most,” the company said saidwith initial recon followed by the deployment of Cobalt Strike, which was then used to stop .NET based ransomware.
The intrusion is allegedly facilitated via publicly exposed websites and servers, so companies must take steps to keep systems up-to-date and enforce the principle of privilege (POLP).
“Even though its operators used readily available tools and resources, they were able to use them in ways that enhanced Rapture’s capabilities by making them more stealthy and more difficult to analyze,” said Trend Micro.
CACTUS and Rapture are the latest additions to the long list of new ransomware families uncovered in recent weeks, incl Gazprom, BlackBit, UNIZA, Akiraand a variant of the ransomware called NoCry Kadavro Vector.