Unraveling the CACTUS Ransomware Group’s Recent Exploits

In recent a new CACTUS cyber wade has personal two increasingly victims, subtracting to their visionless web portfolio. This time, the CACTUS ransomware group’s targeted organizations are Astro Lighting and Orthum Bau. 

The motive overdue these attacks remains shrouded in mystery, with no discernible hacktivist agenda. However, despite the so-called CACTUS attack, both companies towards to be operating without any visible signs of the cyber onslaught.

CACTUS cyber wade claims: A new player with old tactics!
The CACTUS  has been a prominent threat actor, leaving a trail of attacks in its wake over the past few months. 

Previously, The Cyber Express reported on their activities when they targeted five high-profile victims spanning variegated industries and regions globally. 

The unauthentic entities included Seymours, Groupe Promotrans, MINEMAN Systems, Maxxd Trailers, and Marfrig Global Foods.

Since March 2023, the CACTUS ransomware group has been employing a multifaceted tideway to infiltrate networks. 

Their initial wangle often exploits documented vulnerabilities in VPN appliances. Once inside, the threat actors meticulously enumerate local and network user finance and identify reachable endpoints. 

Custom scripts come into play, automating the deployment and detonation of the ransomware decryptor via scheduled tasks.

To verify the authenticity of the so-called CACTUS cyber attack, The Cyber Express reached out to both unauthentic companies. Astro Lightening has responded to us, “We recently identified and contained an IT security incident which caused some minor disruption to our merchantry operations. The matter has now been successfully contained. Astro takes its information security obligations extremely seriously. At this time, Astro has no remoter scuttlebutt to make.”.

CACTUS ransomware group’s unique encryption techniques
One of the standout features of CACTUS’ ransomware encryptor is its novel execution method. It necessitates a decryption key, a safeguard likely put in place to evade detection by anti-virus software. 

This key is unseen within a file named ntuser.dat, containing random text and loaded via a scheduled task. The CACTUS ransomware group employs a diverse set of tactics, techniques, and procedures (TTPs) to siphon out their attacks.

This includes leveraging tools like Chisel, Rclone, TotalExec, Scheduled Tasks, and custom scripts to shirk security measures and distribute the ransomware binary. Notably, they have been observed using a file named ntuser.dat within C:\ProgramData to pass an AES key for persistent execution via Scheduled Tasks.

In May 2023, it was revealed that CACTUS had been exploiting known vulnerabilities in VPN appliances to proceeds initial wangle to targeted networks. This method involves setting up an SSH backdoor for persistent wangle and executing PowerShell commands for network scanning.

A systematic sequence of steps characterizes the CACTUS cyber attack. They make use of tools like Cobalt Strike and Chisel for writ and control, slantingly remote monitoring and management (RMM) software like AnyDesk. Their tactics include disabling security solutions, extracting credentials, and privilege escalation, culminating in data exfiltration and ransomware deployment.

The Cyber Express is closely monitoring developments in this story. Updates will be provided as soon as increasingly information surfaces well-nigh this cyber wade or if any official statements or responses are received from the unauthentic organizations.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users withstand full responsibility for their reliance on it. The Cyber Express assumes no liability for the verism or consequences of using this information.