Security researchers have flagged a ransomware strain called Cactus that exploits flaws in VPN apps to gain access into “large commercial entities”. The malware has apparently been operational since March.
The criminals behind the ransomware use encryption to protect the malware’s binary, setting them apart from other hackers, research from cybersecurity vendor Kroll says.
Cactus encrypts its ransomware code
Cactus ransomware is being used to infiltrate companies’ networks via known vulnerabilities in the widely-used Fortinet VPN.
“Once inside the network, Cactus actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks,” Kroll’s report said.
Attackers then use double extortion techniques to force their victims into paying, whereby the criminals will threaten to release sensitive information while also withholding the decryption key, until the victims give in. The gang does not appear to have a data leak site yet.
Cactus attacks use Cobalt Strike malware with a tool called Chisel for command-and-control, alongside remote monitoring and management software like AnyDesk to push files to infected hosts.
Security solutions are disabled and uninstalled throughout this process and credentials are scraped to escalate privileges later on in the attack.
“Cactus essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, associate managing director for cyber risk at Kroll, said.
“This new ransomware variant under the name Cactus leverages a vulnerability in a popular VPN appliance, showing that threat actors continue to target remote access services and unpatched vulnerabilities for initial access,” he said.
There are currently no confirmed victims of the ransomware as the gang does not have a victim blog. However, companies that have been attacked are reportedly being asked for ransom payments “in the millions” of dollars, according to sources that spoke to Bleeping Computer.
Cactus issues a ransom note which reads: “Your systems were accessed and encrypted by Cactus. To recover your files and prevent data disclosure contact us via email.”