Be on the Lookout for Cactus Ransomware!

A new ransomware operation called Cactus is exploiting vulnerabilities in network devices with enhanced security features, or VPN appliances, to access the networks of large businesses. Cactus has been active since March and is looking for big payouts, inferred to be in the millions, from its victims. Researchers at Kroll, a corporate investigation and risk consulting firm, believe that Cactus obtains initial access into the victim’s network by exploiting known vulnerabilities in Fortinet ransomware VPN appliances. What sets Cactus apart from other operations is how it uses encryption. “Cactus essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” said Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll.

The malware uses multiple extensions for the files it targets. It runs the malware in quick and normal mode consecutively, encrypting the same file twice and appending a new extension after each process. Once in the network, a batch script is run that uninstalls the most commonly used antivirus products. Cactus follows the standard double extortion approach by stealing data before encrypting it. Although they haven’t set up a leak site, they do threaten victims with publishing the stolen files unless they get paid. Applying the latest software updates, monitoring the network for large data exfiltration tasks and responding quickly will protect your network from the final, most damaging stages of a ransomware attack.