A new group of cybercriminals called Cactus is attacking large companies with the ransomware. It infiltrates the victim’s networks through the vulnerability in the VPN equipment of Fortinet.
The group has been active since March of this year. Cactus gains access to victims’ networks by exploiting vulnerabilities in devices VPNs Fortinet, according to Lori Yacono of Kroll, a business investigation and consulting firm.
What makes Cactus different from other operations is the use of encryption to protect the ransomware binary. The attacker uses one scripts batch to get the ransomware binary using 7-Zip. The original ZIP archive is then deleted and the binary file is distributed with a specific flag that allows it to be executed. Experts believe this is done to prevent the detection of ransomware.
“CACTUS essentially encrypts itself, which makes it harder to detect and helps it evade antivirus and network tools”.
Kroll researchers have identified three ways for the ransomware file to launch: install (-s), read and configure (-r), and encrypt (-i). To start the file encryption process, you must provide a unique AES key known only to attackers using the -i option. This key is needed to decrypt the encoder configuration file and the RSA public key needed to encrypt the files. It is available as an encrypted HEX string in the ransomware executable.
Running the ransomware with the correct key for the “-i” parameter allows the malware to start searching for files and start a multi-threaded encryption process.
Ransomware expert Michael Gillespie also analyzed how Cactus encrypts data and reported that the malware uses different extensions for target files, depending on the stage of processing. For example, when Cactus is just preparing a certain file for encryption, it changes its extension to “.CTS0”. And already at the end of the encryption, the file extension becomes “.CTS1”.
Observing a specific malicious operation successfully implemented by Cactus, the researchers noticed that after infiltrating the target network, the attackers used a backdoors SSH to provide permanent access to the server C2.
Kroll experts also noted that after obtaining the necessary privileges on the device, the hackers they ran a special script that removed the most commonly used antivirus products.
Like most ransomware, Cactus steals data from victims’ computers before it is encrypted. To do this, the malware uses the Rclone tool to transfer files to the archive cloud.
At present, there is no public information on the size of the ransom that Cactus demands from its victims. Furthermore, despite the fact that the cybergang seeks data from target devices, they apparently do not have a data leak ste (DLS). But since attackers threaten victims to publish the stolen files if they don’t pay, hackers are likely to use popular darknet forums.
As these cybercriminals used vulnerabilities in Fortinet VPN devices to infiltrate targeted networks, experts recommend all Fortinet customers apply the latest manufacturer security updates immediately to avoid becoming one of Cactus’s next victims.
The editorial staff of Red Hot Cyber is made up of a group of natural persons and anonymous sources who actively collaborate by providing preview information and news on computer security and information technology in general.
