We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

New Cactus Ransomware Encrypts Itself to Avoid Detection

New Cactus Ransomware Encrypts Itself to Avoid Detection
Author Image Keira Waddell
Keira Waddell Published on 9th May 2023 Senior Writer

A new ransomware, Cactus, has been targeting vulnerabilities in Fortinet VPN appliances to gain access to the networks of large commercial organizations since March this year. The ransomware operation is seeking large sums of money from its victims and has a unique approach to avoid detection.

The intrusions of the Cactus ransomware have exploited vulnerabilities specifically within Fortinet VPN appliances. Once they’ve gained access, the threat actors appear to operate according to the conventional double-extortion strategy, which steals the data before encrypting it.

Researchers at Kroll told Bleeping Computer that Cactus encrypts its binary to prevent detection from antivirus software and network monitoring tools. The attackers can then use a unique AES key known only to them to decrypt and access the ransomware’s configuration file and public RSA key, both of which are needed to encrypt the files on the victim’s system.

After the correct key is provided by the attackers, the ransomware can then begin the search for files and begin a multi-thread encryption process. The process of encryption involves changing a file extension to.CTS0 before encryption, which eventually becomes.CTS1 after encryption. Cactus also has a "quick mode", akin to a light encryption pass.

Cactus relies on a scheduled task to ensure continued access through an SSH backdoor. It also uses a SoftPerfect Network Scanner (netscan) for identifying interesting targets on the network, and PowerShell commands for enumerating endpoints, identifying user accounts, and pinging remote hosts.

The operation also attempts to take control via several remote access methods through legitimate tools such as AnyDesk, Splashtop, SuperOps RMM, Cobalt Strike, and Chisel.

Like many ransomware operations, Cactus extracts data from targets and uses the Rclone tool to transfer files directly to cloud storage. After exfiltrating data, the hackers use the TotalExec PowerShell script to automate the deployment of the encryption process.

The threat actors then commonly threaten victims with publishing stolen files unless payment is made. However, no public information is available regarding the targeted victims, the ransom amounts, or the hackers' reliability in providing a genuine decryptor if paid.

As all attacks analyzed have used vulnerabilities present in Fortinet VPN products, we’d recommend choosing a high-quality alternative VPN to protect yourself from Cactus ransomware. You should also keep all software up-to-date and use strong and unique passwords for all accounts.

About the Author

Keira is an experienced cybersecurity and tech writer dedicated to providing comprehensive insights on VPNs, online privacy, and internet censorship.