CACTUS, a new ransomware leveraging VPNs to infiltrate its targets.
N2K logoMay 9, 2023

CACTUS hides behind encryption.

CACTUS, a new ransomware leveraging VPNs to infiltrate its targets.

Researchers at Kroll have discovered a new ransomware family called CACTUS, BleepingComputer reports.

“CACTUS has been observed leveraging documented vulnerabilities in VPN appliances in order to gain initial access,” Kroll wrote in a report emailed to the CyberWire. The ransomware uses a novel encryptor requiring a key to decrypt it for implementation, which likely allows it to remain undetected until the threat actors implement the ransomware attack. CACTUS is a new ransomware, and as of yet hasn’t been used enough to gather metrics regarding ransom prices or the consequences of not paying ransom. Kroll said, “As of the writing of this bulletin,

Details about the victims and the ransom demands were initially unclear.

Kroll had not yet identified a ‘shaming site’ or victim identification-related blog authored by CACTUS for purposes of sharing victim data if a ransom was not paid. In terms of ransom, there is not currently enough data to provide an average starting price. It is also yet to be seen what would happen if a ransom were not paid and how successful any threat actor provided decryptor may be.” Researchers recommend updating all VPN services and implementing password managers to minimize threat exposure. Kroll also recommends using multifactor authentication to prevent lateral movement in the infected networks. 

CACTUS suggests that VPNs are no panacea.

Roger Grimes, data-driven defense evangelist at KnowBe4, points out that VPNs make their own contribution to an attack surface. "This is evidence of how a security mitigation can be used against the defenders. Using a VPN became all the rage a few years ago to fight ransomware," Grimes writes. "Today, you can't find an organizational policy or network defender that doesn't extole the necessity and value of VPNs. You have to have a VPN we are all told. And despite nearly every organization using one, it hasn't really seemed to slow down ransomware. Most organizations hit by ransomware have had VPNs. They help, but they aren't the definitive defense that's significantly going to reduce the risk of ransomware any more than firewalls or antivirus. And the increase in VPNs has created a new problem where the deployers either don't patch them, server or client side, or attackers take advantage of misconfiguration errors. Every time you add a new defense, it adds on the responsibility to maintain it over its lifetime. Obviously, many defenders don't, and it allows ransomware to blossom where it otherwise would not."

Suggestions for dealing with ransomware hiding behind encryption.

According to Chris Haller, Director of Professional Services at Centripetal, sees an important role for threat intelligence in combating this kind of evasive ransomware."Ransomware is a lucrative industry; cyber criminals are probing constantly and doing reconnaissance to see what can or can’t get through the network," Haller wrote. "Exploiting unpatched vulnerabilities is one of the most common methods of attack, yet theoretically should be one of the easiest for security teams to protect against. Utilizing already available threat intelligence on these ransomware groups can thwart impending attacks and avert data breaches. Adopting a proactive stance against potential threats is crucial as relying solely on a reactive approach to threat hunting may be too late, resulting in irreversible harm."

Steve Hahn, Executive VP at BullWall, notes that CACTUS is designed to evade endpoint security tools. “This is yet another way for ransomware to completely evade the endpoint security tools such as antivirus and EDR and highlights just how easy it is for the threat actors to kickoff a Ransomware attack despite the most sophisticated detection tools on the planet. Every year Ransomware completely takes down thousands of enterprises. In each such event the impacted companies invested heavily in prevention tools and were given guarantees such as 'completely effective against ransomware,'" Hahn writes. "Every ransomware event found a way to disable or evade those tools. Even the White House admits that worsening ransomware attacks are outpacing our ability to stop them. It's simply a matter of time before any business is hit, loses their infrastructure for weeks and critical data permanently. We can't continue to rely on prevention, which requires you being 100% effective 100% of the time. We must also implement ransomware containment tools to quickly neutralize the attack and air-gapped backup strategies to get systems restarted with the least amount of disruption. Like severe weather, you can prepare for it, but you can’t stop it.”

Dave Ratner, CEO of HYAS, advises looking at outbound connections. “Visibility into anomalous outbound connections, indicative of communication to command-and-control, continues to grow in priority as a necessity for modern cyber protection. As attackers find new and innovative ways to infiltrate organizations, the ability to identify the command-and-control communication and stop it before data exfiltration and encryption may be the difference between business resiliency and a significant interruption of business operations.”

Roy Akerman, Co-Founder & CEO of Rezonate, writes that criminal groups can be expected to look for more stealth, more evasiveness. “Ransomware groups continue to find stealthy techniques to bypass defenses and be able to remotely control systems. SSH backdoors as in the case of Cactus and other remote access techniques such as webshells, provide the same control and are able to disguise as benign, light weight, traffic. SSH traffic, internal recon, use of LSASS and Cobalt Strike, tampering with security controls configuration are many steps security operations teams can better secure today. Smart security teams must take action to prevent suspicious activity on the endpoint, improve data hygiene and recovery capabilities, and limit spread of attack with least privilege access across their identity controls.”