Verticals Targeted: Energy
Cactus is a ransomware family that has been active since at least March 2023 and has been gaining momentum in recent months. Cactus recently claimed an attack on Schneider Electric.
- Cactus is a ransomware family that has been active since at least March 2023.
- Cactus, which is written in C/C++, is known to use a complex infection chain.
- Cactus has recently gained momentum, with the threat actors behind the ransomware claiming several victims over the past few months.
- Cactus claimed responsibility for an attack on energy giant Schneider Electric earlier this month.
What is Cactus?
Cactus is a ransomware family that has been active since at least March 2023. SecurityScorecard recently reported on Cactus. The Cactus ransomware group is known to exploit vulnerabilities, particularly with VPNs, to obtain access to the victim’s infrastructure. Cactus, which is written in C/C++, is known to use a complex infection chain.
Cactus is packed using UPX and uses a unique encryption technique that encrypts the ransomware binary itself. It is effective at evading antivirus and is known to maintain persistence and lie in wait. Cactus creates a mutex to ensure only one copy runs at a time. In order to maintain persistence, Cactus creates a scheduled task.
When encrypting victim files, Cactus leverages AES encryption, with the key being encrypted using a public RSA key. Encrypted files are appended with a .cts0 or .cts1 extension. Additionally, Cactus uses a double extortion scheme, stealing victim data and threatening to leak the data if the ransom is not paid.
Cactus is known to target a variety of entities, with a high number of victims in the manufacturing and professional services verticals. Cactus does not appear to limit its targeting to a particular region and has been observed targeting entities in North America, South America, Europe, and Australia.
Cactus has recently gained momentum, with the threat actors behind the ransomware claiming several victims over the past few months. Some of the group’s recent victims include Swedish retailer COOP, Acutis, Intercity Investments, and Bell Group.
Cactus claimed responsibility for an attack on Schneider Electric earlier this month. Schneider Electric is an energy and automation giant. The attack reportedly affected Schneider Electric’s Sustainability Business division. Several terabytes of corporate data were reportedly stolen, and Cactus is threatening to leak the data if the ransom is not paid.. While Schneider Electric has confirmed the ransomware attack, they did not provide details on which ransomware family was responsible for the attack.
Industry researchers have assessed that the threat actors behind Cactus have a sophisticated understanding of evasion techniques and are efficient in their delivery and deployment of payloads on victim systems.
PolySwarm has multiple samples of Cactus.
You can use the following CLI command to search for all Cactus samples in our portal:
$ polyswarm link list -f Cactus
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports.