CACTUS Ransomware? New Ransomware with camoflauging and anti-virus evasion

DavidInfosec.com,

Ransomware That Encrypts Itself

Background

There’s new ransomware that has been identified in a live environment since March 2023. The ransomware is unique in that the moving parts (binary) of the software need to be decrypted for things to start deploying. Some speculate that this is an attempt to camoflauge and cirvumvent anti-virus detection, (According to Kroll.com).

Naming and Indicators

It is referred to as CACTUS because of the following reasons:

  • a cAcTuS.readme.txt readme file
  • the name of the program itself
  • Encrypted files with the .cts1 extension

Security Researcher’s Perspective

Security researchers on LinkedIn are spreading awareness as well. Here’s what Flavio Queiroz, Head of Cyber Threats for the Brazilian Navy, commented on the matter:

linkedin post about CACTUS

Ransomware Deployment

As far as behavior of this malware, what does it entail? Well, it appears to get its initial access from vulnerable VPN appliances, then it takes time to look around any network it has successfully infiltrated, looks for any possible other devices, and finally sets up shop for ransomware. Credits to Flavio Queiroz’ post for making everything nice and clear.

This falls into the MITRE ATT&CK framework. Once again, Kroll has an excellent, thorough read on everything. Credits to them.

Recommendations and Updates

Be wary and update VPN appliances, be on the lookout for any updates, and be sure to let others know about this. This is a developing post and more will be added as more information is obtained.

Update:
It appears that this malware uses Cobalt Strike, according to TheHackerNews.com. It also uses a tunneling tool called Chisel. Chisel and Cobalt Strike work together to establish remote access and management, similar to TeamViewer, Windows Remote Desktop, or AnyDesk.

The malware even goes as far as attempting to uninstall security tools to further to increase the chance of a successful attack.

Laura Iacono spoke to The Hacker News and said, “CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools”.

Credits and Resources:

TheHackerNews

Kroll.com

Flavio Queiroz, Head of Cyber Threats for the Brazilian Navy

Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *