A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to “large commercial entities networks.”
The Cactus ransomware operation has been active since at least March and seeks big payouts from its victims.
While the new threat actor adopted the usual tactics in ransomware attacks – file encryption and data theft – it added its touch to avoid detection.
Encrypted configuration twist
Researchers found that Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances.
The assessment is based on the observation that the hacker pivoted inside from a VPN server with a VPN service account in all incidents investigated.
Using encryption to protect the ransomware binary sets Cactus apart from other operations. The actor uses a batch script to obtain the encryptor binary using 7-Zip.
The original ZIP archive is removed, and the binary is deployed with a specific flag that allows it to execute. The entire process is unusual, and the researchers believe that this is to prevent the detection of the ransomware encryptor.
In a technical report, Kroll investigators explain that there are three main modes of execution, each one selected with the use of a specific command line switch: setup (-s), read configuration (-r), and encryption (-i).
The -s and -r arguments allow the threat actors to set up persistence and store data in a C:\ProgramData\ntuser.dat file that is later read by the encryptor when running with the -r command line argument.
For the file encryption to be possible, a unique AES key known only to the attackers must be provided using the -i command line argument.
This key is necessary to decrypt the ransomware’s configuration file and the public RSA key needed to encrypt files. It is available as a HEX string hardcoded in the encryptor binary.
Decoding the HEX string provides encrypted data that unlocks with the AES key.
CACTUS encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools.
Running the binary with the correct key for the -i (encryption) parameter unlocks the information and allows the malware to search for files and start a multi-thread encryption process.
Kroll researchers provided the diagram below to better explain the Cactus binary execution process as per the selected parameter.
Ransomware expert Michael Gillespie also analyzed how Cactus encrypted and found that the malware uses multiple extensions for its target files, depending on the processing state.
When preparing a file for encryption, Cactus changes its extension to “.CTS0”. After encryption, the extension becomes “.CTS1”.
However, Gillespie explained that Cactus can also have a “quick mode,” akin to a light encryption pass. Running the malware in quick and normal mode consecutively results in encrypting the same file twice and appending a new extension after each process (e.g. .CTS1.CTS7).
Kroll observed that the number at the end of the .CTS extension varied in multiple incidents attributed to Cactus ransomware.
Cactus ransomware TTPs
Once in the network, the threat actor used a scheduled task for persistent access using an SSH backdoor reachable from the command and control (C2) server.
According to Kroll investigators, Cactus relied on SoftPerfect Network Scanner (netscan) to look for interesting targets on the network.
For deeper reconnaissance, the attacker used PowerShell commands to enumerate endpoints, identify user accounts by viewing successful logins in Windows Event Viewer, and ping remote hosts.
The researchers also found that Cactus ransomware used a modified variant of the open-source PSnmap Tool, a PowerShell equivalent of the Nmap network scanner.
To launch various tools required for the attack, the investigators say that Cactus ransomware tries multiple remote access methods through legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) along with Cobalt Strike and the Go-based proxy tool Chisel.
Kroll investigators say that after escalating privileges on a machine, Cactus operators run a batch script that uninstalls the most commonly used antivirus products.
Like most ransomware operations, Cactus also steals data from the victim. The threat actor uses the Rclone tool to transfer files straight to cloud storage for this process.
After exfiltrating data, the hackers used a PowerShell script called TotalExec, often seen in BlackBasta ransomware attacks, to automate the deployment of the encryption process.
Gillespie told us that the encryption routine in Cactus ransomware attacks is unique. Despite this, it does not appear to be particular to Cactus as a similar encryption process has also been adopted recently by the BlackBasta ransomware gang.
Currently, there is no public information about the ransoms that Cactus demands from its victims but various sources indicate that they are in the millions.
Even if the hackers do steal data from victims, they appear to have not set up a leak site like other ransomware operations involved in double extortion.
However, the threat actor does threaten victims with publishing the stolen files unless they get paid. This is explicit in the ransom note:
Extensive details about the Cactus operation, the victims they target, and if the hackers keep their word and provide a reliable decryptor, if paid, are not available at this time.
What is clear is that the hackers’ incursions so far likely leveraged vulnerabilities in the Fortinet VPN appliance and followed the standard double-extortion approach by stealing data before encrypting it.
Applying the latest software updates from the vendor, monitoring the network for large data exfiltration tasks, and responding quickly should protect from the final and most damaging stages of a ransomware attack.
Source: BleepingComputer, Kroll