Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is CACTUS Ransomware, and How does It Work?

CACTUS Ransomware

What is CACTUS Ransomware

Cyber threat intelligence analysts at Kroll, a provider of financial advisory solutions, have discovered a new ransomware variant called CACTUS, which has targeted large commercial organizations since March 2023. The ransomware’s name comes from the name of the file provided in the ransom note, cAcTuS.readme.txt, and the name is also mentioned in the note. The encrypted files have an extension of .cts1, though the number at the end has been observed to differ between incidents and victims. Kroll has observed sensitive data exfiltration and extortion of victims through the Tox peer-to-peer messaging service, but no known victim leak sites have been identified during the analysis period.

How CACTUS Ransomware Works

Infection

CACTUS has employed a range of techniques to infect victims, which includes utilizing tools like Chisel, Rclone, TotalExec, Scheduled Tasks, and custom scripts to disable security programs and distribute their ransomware application. In each instance of CACTUS examined, the perpetrator gained entry through a VPN server that uses a VPN service account. They then established an SSH backdoor to their command and control (C2) to sustain ongoing access via Scheduled Tasks.

Reconnaissance

After gaining access to the network, the malicious actor(s) use SoftPerfect Network Scanner (netscan) to conduct initial internal reconnaissance. They employ PowerShell commands to identify endpoints, review Windows Security 4624 events for user account identification, and ping remote endpoints. The data generated by these commands is stored in text files on the host machine, which are subsequently used to run the ransomware code.

Deployment

In order to ensure persistence within the environment, the attacker tries to establish various remote access pathways. Kroll has detected the use of lawful remote access tools such as Splashtop, AnyDesk, and SuperOps RMM, as well as Cobalt Strike and Chisel – a SOCKS5 proxy tool. Chisel aids in channeling data through firewalls covertly, enabling concealed communication to the attacker’s C2 and is most likely used to transfer more coding and tools to the target endpoint. After gaining the appropriate access level (described below), the threat actor proceeds to run a batch script that uses msiexec to remove anti-virus programs based on their software GUID.

Escalation and Lateral Movement

The threat actor often tries to extract credentials from users’ web browsers and search for files with passwords that can be used for execution and lateral movement. They may also attempt to dump LSASS credentials for future privilege escalation. A batch script is then used to add privileged accounts to remote endpoints. Observations have shown that lateral movement has been carried out through both legitimate and forged accounts as well as the remote desktop protocol (RDP). Additionally, lateral movement has also been facilitated by remote management tools like Super Ops.

How Cactus Ransomware Exploits Qlik Sense Vulnerabilities

Cactus ransomware specifically targets systems that are running Qlik Sense, a widely used platform for business intelligence and data analytics. The attackers exploit specific vulnerabilities within Qlik Sense to gain initial access and then proceed with deploying the ransomware. Here is a detailed explanation of their methods:

Exploiting Vulnerabilities

The attackers take advantage of two critical vulnerabilities, namely CVE-2023-41265 and CVE-2023-41266. These vulnerabilities involve HTTP request tunneling and path traversal, allowing the attackers to gain elevated privileges and access unauthorized endpoints within the Qlik Sense server. This enables them to execute malicious requests and effectively take control of the server. There is also a potential use of another vulnerability, CVE-2023-48365, although it has not been explicitly confirmed. Researchers suspect that this vulnerability allows unauthorized file uploads on Qlik Sense servers, potentially serving as another entry point for the deployment of malicious code.

Escalating Access and Control

Once the attackers have gained access, they employ various tactics to establish persistence and gain control over the compromised system: They exploit the Qlik Sense Scheduler Service, which has the ability to launch processes, by forcing it to download additional tools. These tools serve different purposes, such as:

  • Remote Access: Tools like AnyDesk and Plink (a PuTTY fork) are downloaded to enable remote desktop access, giving the attackers unrestricted navigation within the compromised system.
  • Persistence: They deploy ManageEngine UEMS, disguised as Qlik files, to ensure ongoing access even after system restarts.
  • Lateral Movement: Tools like WizTree and rclone are utilized to analyze disk space and extract data, potentially spreading the attack within the network.

In addition to gaining control over the compromised system, the Cactus attackers often engage in additional malicious activities:

  • Disabling Security: They may uninstall security software, such as Sophos, to evade detection and hinder response efforts.
  • Data Theft: Before encrypting the system, they steal sensitive data for double-extortion tactics, threatening to leak it if the ransom is not paid.
  • Network Expansion: By gaining a foothold in the initial system, the attackers aim to expand their control and infiltrate other systems within the network.

How to Protect Against CACTUS Ransomware

In addition to the standard ways to prevent ransomware attacks, such as regularly updating software and taking backups, installing/maintaining advanced anti-malware solutions and conducting security awareness training, companies should also consider the following recommendations for minimizing the likelihood of a CATUS ransomware attack.

  • Update VPN devices regularly and use password managers to prevent credential theft through browsers.
  • Keep track of PowerShell usage and encoded script execution.
  • Regularly audit user, administrator, and service accounts to uphold the principle of least privilege.
  • Use multi-factor authentication to restrict access to sensitive areas and prevent lateral movement.
  • Ensure that multiple backups are taken and isolated from the network.

How Lepide helps with Cactus Ransomware Protection

It is important to review and restrict access privileges to protect against ransomware as doing so helps to prevent attackers from gaining access to resources they shouldn’t have, which could be used to launch an attack. It is also important to monitor access to user accounts and data (including backups) as this allows early detection of unusual activity. By having an effective monitoring system in place, IT teams can quickly detect and respond to CACTUS ransomware to prevent further damage.

The Lepide Data Security Platform provides a user-friendly dashboard where you can review all access permissions, and identify and remove permissions that are excessive. The platform also enables you to receive real-time alerts anytime critical systems and data are accessed in a way that is unusual. The Lepide platform can detect and respond to events that match a pre-defined threshold condition, such as when multiple files are encrypted or renamed within a given time-frame. If the threshold condition is met, a custom script can be executed to stop the attack from spreading.

If you’d like to see how the Lepide Data Security Platform can help protect against CACTUS ransomware attacks, schedule a demo with one of our engineers.