A new, sophisticated ransomware operation known as Cactus has been targeting high-profile commercial entities by exploiting VPN vulnerabilities, security experts have discovered.
Notably, Cactus ransomware encrypts itself to avoid detection by antivirus software, making it particularly difficult to combat.
Cybersecurity experts at Kroll, a prominent corporate investigation and risk consulting firm, have discovered that the Cactus ransomware infiltrates the networks of its victims by exploiting security flaws in VPN appliances. The researchers noted that the hackers managed to enter these networks via VPN servers using compromised service accounts.
The unique feature of the Cactus ransomware lies in its self-encryption capability. To achieve this, Cactus operators use a batch script to acquire the encryptor binary with the help of 7-Zip, a popular compression tool.
Once the binary is extracted, the initial ZIP archive is eliminated, and the binary is executed with a specific parameter, making it difficult for antivirus software to detect the threat.
This unconventional approach has alarmed cybersecurity experts, who warn organizations to remain on high alert for such elusive threats.
As BleepingComputer reported, Kroll investigators elaborated on the script’s execution, mentioning that perpetrators use three different switches for its runtime:
-s for setting it up,
-r for loading a configuration file and
-i for encryption.
After breaching the targeted network, perpetrators use a combination of scheduled tasks and an SSH backdoor to achieve persistence and run several reconnaissance operations, including pinging remote hosts, enumerating endpoints, and identifying user accounts.
To maximize the damage, Cactus ransomware runs a batch script that uninstalls common antivirus software. Before ciphering files on compromised machines, the actors exfiltrate them to a cloud server, then use a PowerShell script to automate encryption.
Reportedly, the threat actors haven’t yet created a dedicated website to leak exfiltrated data. However, their ransom note explicitly mentions publishing stolen documents from their victims if they refuse to pay the ransom.
To prevent falling prey to ransomware attacks, use specialized software solutions such as Bitdefender Ultimate Security. Key features include: