Escalating CACTUS Ransomware Group Targets SMBs with Advanced Techniques

Enterprotect has been closely monitoring the activities of the CACTUS ransomware group since March, primarily within the enterprise space. However, recent observations indicate a concerning trend of increased activity targeting small and medium-sized businesses (SMBs). Moreover, this threat has been compounded by the emergence of a new variant that presents greater challenges in detection and prevention.

CACTUS employs an overlapping set of tactics, techniques, and procedures (TTPs) to execute their malicious campaigns. These tactics encompass the strategic use of various tools such as Chisel, Rclone, TotalExec, Scheduled Tasks, and custom scripts. The group adeptly disables security software to facilitate the distribution of the ransomware binary, further intensifying the threat landscape.

Notably, researchers have discovered an intriguing aspect of CACTUS's operations: the utilization of a file named ntuser.dat within the C:\ProgramData directory. This file serves as a conduit for passing an AES key necessary to decrypt the RSA public key, enabling the execution of the ransomware binary through Scheduled Tasks. This unique technique enables CACTUS to establish persistence and maintain their malicious activities over time.

What is the Exposure or Risk?

The increasing targeting of SMBs by the CACTUS ransomware group raises concerns about the potential impact on smaller organizations with limited resources and cybersecurity capabilities. The deployment of an advanced and evasive variant makes detection and prevention more challenging, significantly increasing the risk of successful attacks.

The use of sophisticated tools like Chisel, Rclone, TotalExec, Scheduled Tasks, and custom scripts adds another layer of complexity to CACTUS's modus operandi. These tools enable the group to disable security software and distribute the ransomware binary with greater efficiency and effectiveness.

The CACTUS group's reliance on the file ntuser.dat as a means to pass AES keys and execute ransomware through Scheduled Tasks demonstrates their adaptability and innovation. By leveraging this method, they can establish persistence and maintain a foothold in compromised systems, prolonging the potential damage and impact on targeted organizations.

Indicators of Compromise

During the analysis of CACTUS ransomware incidents, the following files and hashes have been identified as indicators of compromise:

  • File Name: AnyDesk.exe Comment: Remote Access Tool MD5 Hash Value: d9f15227fefb98ba69d98542fbe7e568

  • File Name: psnb.ps1 Comment: PowerShell NMAP MD5 Hash Value: 3adc612b769a2b1d08b50b1fb5783bcf

  • File Name: conhost.exe Comment: Chisel MD5 Hash Value: be7b13aee7b510b052d023dd936dc32f

  • File Name: Totalexec.ps1 Comment: PsExec script MD5 Hash Value: 26f3a62d205004fbc9c76330c1c71536

  • File Name: f1.bat Comment: Admin User Creation MD5 Hash Value: d5e5980feb1906d85fbd2a5f2165baf7

  • File Name: f2.bat Comment: Ransomware Execution MD5 Hash Value: 78aea93137be5f10e9281dd578a3ba73

In addition to the identified files, the following external IP address was observed during the incident:

  • IP Address: 163.123.142.213 (Cobalt Strike)

These indicators of compromise provide valuable insights into the tools and techniques used by the CACTUS ransomware group. Organizations should be vigilant and monitor for any signs of these files, hashes, or IP addresses within their network environments.

What are the Recommendations?

To mitigate the growing risk posed by the CACTUS ransomware group, Enterprotect recommends the following measures for SMBs:

  1. Patch and Update VPN Devices: Ensure VPN devices are promptly patched and updated to address any known vulnerabilities. The initial access provided by VPN appliances makes them a potential entry point for the threat actor.

  2. Implement Password Managers: Implement password managers to securely store and manage passwords. This helps prevent the extraction of credentials from browsers, reducing the risk of unauthorized access.

  3. Monitor PowerShell Execution: Enable logging of PowerShell activity and create detections for encoded script execution. Monitoring PowerShell can help detect and respond to suspicious activities, such as those utilized by the threat actor.

  4. Audit User, Administrator, and Service Accounts: Regularly audit user, administrator, and service accounts to ensure they have the appropriate access and privileges. Implement the principle of least privilege to limit the impact of potential compromises.

  5. Implement Multi-factor Authentication (MFA): Deploy MFA across critical systems to add an extra layer of security. This can restrict access to sensitive areas and help prevent lateral movement within the network.

  6. Review Backup Strategies: Establish robust backup strategies that include taking multiple backups and ensuring at least one backup is isolated from the network. This ensures that in the event of a ransomware attack, organizations have clean and accessible copies of their data that can be restored without relying solely on compromised systems.

Conclusion

The escalating activities of the CACTUS ransomware group targeting SMBs require organizations to be proactive in their defense strategies. By implementing strong security measures such as enhanced awareness training, robust endpoint protection, multi-factor authentication, regular backups, timely patch management, and effective incident response plans, SMBs can significantly reduce the risk of falling victim to CACTUS ransomware attacks.

It is crucial for organizations to stay vigilant and adapt their security practices to combat the evolving tactics of threat actors like CACTUS. By remaining proactive, implementing best practices, and seeking guidance from trusted cybersecurity professionals, SMBs can effectively safeguard their networks and data against the escalating threat of CACTUS ransomware.

References


Previous
Previous

From Bank Heists to Cyber Attacks: Unleashing the Power of Threat Intelligence

Next
Next

Qakbot Leveraging Compromised Websites for Initial Infiltration