Cactus: New Ransomware Encrypts Itself to Evade Detection

Cactus, a newly discovered ransomware operation has apparently been exploiting vulnerabilities in VPN appliance vulnerabilities to gain initial access to the networks of "large commercial entities."

Although the new threat actor uses the usual file encryption and data stealing techniques used in ransomware attacks, it encrypts itself to evade detection by antivirus software, making it exceptionally challenging to eliminate.

Encrypted Configuration Twist

According to the cybersecurity experts at Kroll, the Cactus ransomware infiltrates its victims' networks by exploiting security flaws in VPN appliances. The researchers discovered that the hackers used compromised service accounts to access these networks through VPN servers.

The self-encryption attribute of Cactus ransomware is what makes it significant. Cactus operators utilize a batch script and the popular compression tool 7-Zip to obtain the encryptor binary to accomplish this. Once the binary is extracted, the initial ZIP archive is eliminated, and the binary is executed with a specific parameter, making it challenging for antivirus software to identify the threat.

Kroll investigators further explain that the script is run using three separate switches: -s for initialization, -r for loading a configuration file, and -i for encryption.

Once within the targeted network, the attackers employ an SSH backdoor along with scheduled tasks to maintain their presence while conducting a number of reconnaissance operations, such as pinging remote hosts, identifying endpoints, and locating user accounts.

The Cactus ransomware executes a batch script that disables standard antivirus software in order to cause the most damage. The attackers exfiltrate files from infected PCs to a cloud server before automatically encrypting them with a PowerShell script.

While detailed information regarding the Cactus operation, the victims they target, and if the hackers follow their promise to provide a reliable decryptor if paid are not yet available, applying the most recent vendor software updates, keeping an eye out for significant data exfiltration attempts, and acting fast should guard against the most destructive and final stages of a ransomware attacks.