View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

New ransomware Cactus can encrypt its own code

The criminals behind this malware infiltrate systems via VPN vulnerabilities, and are reportedly demanding hefty ransoms.

By Claudia Glover

Security researchers have flagged a ransomware strain called Cactus that exploits flaws in VPN apps to gain access into “large commercial entities”. The malware has apparently been operational since March.

New ransomware encrypts its own binary code (Photo by Brent Coulter/Shutterstock)

The criminals behind the ransomware use encryption to protect the malware’s binary, setting them apart from other hackers, research from cybersecurity vendor Kroll says.

Cactus encrypts its ransomware code

Cactus ransomware is being used to infiltrate companies’ networks via known vulnerabilities in the widely-used Fortinet VPN.

“Once inside the network, Cactus actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks,” Kroll’s report said.

Attackers then use double extortion techniques to force their victims into paying, whereby the criminals will threaten to release sensitive information while also withholding the decryption key, until the victims give in. The gang does not appear to have a data leak site yet.

Cactus attacks use Cobalt Strike malware with a tool called Chisel for command-and-control, alongside remote monitoring and management software like AnyDesk to push files to infected hosts.

Security solutions are disabled and uninstalled throughout this process and credentials are scraped to escalate privileges later on in the attack.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“Cactus essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, associate managing director for cyber risk at Kroll, said.

“This new ransomware variant under the name Cactus leverages a vulnerability in a popular VPN appliance, showing that threat actors continue to target remote access services and unpatched vulnerabilities for initial access,” he said.

There are currently no confirmed victims of the ransomware as the gang does not have a victim blog. However, companies that have been attacked are reportedly being asked for ransom payments “in the millions” of dollars, according to sources that spoke to Bleeping Computer.

Cactus issues a ransom note which reads: “Your systems were accessed and encrypted by Cactus. To recover your files and prevent data disclosure contact us via email.”

Read more: Ransomware is ‘too difficult’ for police to stop

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.