New Cactus Ransomware Encrypts Itself to Avoid Detection
A new ransomware, Cactus, has been targeting vulnerabilities in Fortinet VPN appliances to gain access to the networks of large commercial organizations since March this year. The ransomware operation is seeking large sums of money from its victims and has a unique approach to avoid detection.
The intrusions of the Cactus ransomware have exploited vulnerabilities specifically within Fortinet VPN appliances. Once they’ve gained access, the threat actors appear to operate according to the conventional double-extortion strategy, which steals the data before encrypting it.
Researchers at Kroll told Bleeping Computer that Cactus encrypts its binary to prevent detection from antivirus software and network monitoring tools. The attackers can then use a unique AES key known only to them to decrypt and access the ransomware’s configuration file and public RSA key, both of which are needed to encrypt the files on the victim’s system.
After the correct key is provided by the attackers, the ransomware can then begin the search for files and begin a multi-thread encryption process. The process of encryption involves changing a file extension to.CTS0 before encryption, which eventually becomes.CTS1 after encryption. Cactus also has a "quick mode", akin to a light encryption pass.
Cactus relies on a scheduled task to ensure continued access through an SSH backdoor. It also uses a SoftPerfect Network Scanner (netscan) for identifying interesting targets on the network, and PowerShell commands for enumerating endpoints, identifying user accounts, and pinging remote hosts.
The operation also attempts to take control via several remote access methods through legitimate tools such as AnyDesk, Splashtop, SuperOps RMM, Cobalt Strike, and Chisel.
Like many ransomware operations, Cactus extracts data from targets and uses the Rclone tool to transfer files directly to cloud storage. After exfiltrating data, the hackers use the TotalExec PowerShell script to automate the deployment of the encryption process.
The threat actors then commonly threaten victims with publishing stolen files unless payment is made. However, no public information is available regarding the targeted victims, the ransom amounts, or the hackers' reliability in providing a genuine decryptor if paid.
As all attacks analyzed have used vulnerabilities present in Fortinet VPN products, we’d recommend choosing a high-quality alternative VPN to protect yourself from Cactus ransomware. You should also keep all software up-to-date and use strong and unique passwords for all accounts.