Cactus Ransomware Group

Written By Bálint Hada

Introduction

Cactus ransomware is a relatively new but highly sophisticated ransomware strain first observed in March 2023. It stands out for its unique encryption method and self-protection techniques, which include encrypting its own payload to evade detection. Cactus primarily targets large enterprises, using double extortion tactics—encrypting victim data while also stealing sensitive files for additional ransom leverage.

Unlike open Ransomware-as-a-Service (RaaS) groups such as LockBit or BlackCat, Cactus operates privately, meaning that only a select group of affiliates are allowed to use its ransomware. The group's attack chain is highly advanced, utilizing vulnerabilities in VPN services and penetration testing tools like Cobalt Strike for post-exploitation.

Key Information

  • Active Since: March 2023 – Present

  • Threat Actor Type: Private Ransomware Operation (Not RaaS)

  • Primary Attack Model: Double Extortion (File Encryption + Data Theft)

  • Targeted Sectors:

    • Financial Services

    • Technology & IT Companies

    • Manufacturing & Industrial Enterprises

    • Healthcare & Pharmaceuticals

    • Government Entities

What Makes Cactus Unique?

  • Encrypted Payload Execution – The ransomware encrypts its own binary to bypass security detection.

  • Exploiting Known VPN Vulnerabilities – Frequently gains access through unpatched VPN servers.

  • Selective Targeting of Large Enterprises – Prefers high-value targets with the ability to pay multi-million-dollar ransoms.

  • Advanced Evasion Tactics – Uses legitimate IT and penetration testing tools to blend in with normal network activity.

MITRE ATT&CK Techniques – Cactus Ransomware

Cactus follows a highly structured attack methodology that aligns with the MITRE ATT&CK framework. Below are the confirmed techniques used by Cactus ransomware.

Initial Access (How They Gain Entry)

  • T1190 – Exploit Public-Facing Applications

    • Cactus exploits vulnerabilities in VPN services (e.g., Fortinet, Citrix) to gain initial access.

  • T1078 – Valid Accounts (Credential Theft)

    • Uses stolen or brute-forced credentials, often purchased from dark web marketplaces.

Execution (Deploying the Ransomware Payload)

  • T1204 – User Execution

    • Ransomware is delivered as a disguised file (e.g., PDF or ZIP archive) that tricks users into execution.

  • T1059.001 – Command and Scripting Interpreter: PowerShell

    • Uses PowerShell commands to download and execute malicious scripts.

Persistence (Maintaining Access to the System)

  • T1543.003 – Create or Modify System Process: Windows Service

    • Installs malicious services to maintain long-term access.

  • T1136 – Create New Accounts

    • Generates new administrative user accounts to retain system access.

Privilege Escalation (Gaining Higher-Level Access)

  • T1055 – Process Injection

    • Injects malicious code into legitimate processes to evade detection.

  • T1548.002 – Abuse Elevation Control Mechanism

    • Uses UAC bypass techniques to gain admin privileges.

Defense Evasion (Avoiding Detection)

  • T1070.004 – Indicator Removal on Host: File Deletion

    • Deletes Windows logs and forensic evidence to avoid detection.

  • T1562 – Disable Security Tools

    • Disables Windows Defender, EDR, and other security monitoring tools.

  • T1027 – Obfuscated Files or Information

    • Encrypts its own executable payload to prevent detection by security tools.

Credential Access (Stealing Passwords & Accounts)

  • T1003.001 – OS Credential Dumping: LSASS Memory

    • Dumps Windows credentials from memory (LSASS.exe) using tools like Mimikatz.

Discovery (Reconnaissance & System Profiling)

  • T1018 – Remote System Discovery

    • Enumerates available remote systems and network shares before ransomware deployment.

Lateral Movement (Spreading Across the Network)

  • T1021.001 – Remote Desktop Protocol (RDP) Hijacking

    • Moves laterally using compromised RDP credentials.

  • T1570 – Lateral Tool Transfer

    • Deploys ransomware across network shares and mapped drives.

Data Exfiltration (Stealing Data for Ransom Leverage)

  • T1041 – Exfiltration Over C2 Channel

    • Sends stolen data to Cactus-controlled servers before encryption.

  • T1567.002 – Exfiltration to Cloud Storage

    • Uses Mega.nz, private FTPs, and Tor-hosted servers to store stolen data.

Impact (Encryption & System Disruption)

  • T1486 – Data Encrypted for Impact

    • Encrypts files using AES-256 and RSA encryption across victim environments.

  • T1490 – Inhibit System Recovery

    • Deletes shadow copies, backup files, and system restore points to prevent recovery.

Recent Attacks & Financial Impact

Notable Victims (2023-2024)

  • European and U.S. financial institutions

  • Healthcare providers and pharmaceutical companies

  • Technology firms and cloud service providers

  • Manufacturing & critical infrastructure organizations

Estimated Financial Impact

  • Ransom demands range from $500,000 to over $3 million per victim.

  • Victims who refuse to pay face public data leaks on Cactus's dark web platform.

  • Total estimated damages exceed $100 million in 2023 alone.

Law Enforcement Actions Against Cactus

  • No known arrests as of 2024, but law enforcement agencies actively monitor Cactus’s infrastructure.

  • Cybersecurity firms have released detection tools, but no universal decryption tool exists yet.

Defensive Recommendations Against Cactus Attacks

Preventative Measures

Patch VPN & RDP Vulnerabilities – Cactus frequently exploits unpatched VPN appliances.
Enforce Multi-Factor Authentication (MFA) – Prevents unauthorized logins with stolen credentials.
Monitor Unusual PowerShell Activity – Detect malicious PowerShell scripts before execution.
Restrict RDP & Remote Admin Access – Disable unused remote access services and enforce zero-trust access policies.
Regularly Backup Critical Data – Ensures business continuity in case of ransomware encryption.
Deploy Threat Intelligence & Dark Web Monitoring – Identify leaked credentials or attack indicators early.

Final Thoughts

Cactus ransomware is a highly evasive and rapidly evolving cyber threat, using encrypted payload execution and VPN exploits to target large enterprises. Unlike RaaS groups like LockBit or Cl0p, Cactus is a private operation with selective affiliate recruitment, making it harder for law enforcement to infiltrate.

Organizations should proactively harden security controls, restrict remote access, and deploy continuous monitoring to detect and prevent Cactus ransomware intrusions.

Sources

Bálint Hada
Previous

Fsociety Ransomware Group
Next

Akira Ransomware Group