Insights, news, education and announcements from PolySwarm

Cactus Ransomware

Written by The Hivemind | Feb 5, 2024 7:04:38 PM

Verticals Targeted: Energy

Executive Summary

Cactus is a ransomware family that has been active since at least March 2023 and has been gaining momentum in recent months. Cactus recently claimed an attack on Schneider Electric.

Key Takeaways

  • Cactus is a ransomware family that has been active since at least March 2023.
  • Cactus, which is written in C/C++, is known to use a complex infection chain. 
  • Cactus has recently gained momentum, with the threat actors behind the ransomware claiming several victims over the past few months.
  • Cactus claimed responsibility for an attack on energy giant Schneider Electric earlier this month.

What is Cactus?

Cactus is a ransomware family that has been active since at least March 2023. SecurityScorecard recently reported on Cactus. The Cactus ransomware group is known to exploit vulnerabilities, particularly with VPNs, to obtain access to the victim’s infrastructure. Cactus, which is written in C/C++, is known to use a complex infection chain. 

Cactus is packed using UPX and uses a unique encryption technique that encrypts the ransomware binary itself. It is effective at evading antivirus and is known to maintain persistence and lie in wait. Cactus creates a mutex to ensure only one copy runs at a time. In order to maintain persistence, Cactus creates a scheduled task. 

When encrypting victim files, Cactus leverages AES encryption, with the key being encrypted using a public RSA key. Encrypted files are appended with a .cts0 or .cts1 extension. Additionally, Cactus uses a double extortion scheme, stealing victim data and threatening to leak the data if the ransom is not paid. 

Cactus is known to target a variety of entities, with a high number of victims in the manufacturing and professional services verticals. Cactus does not appear to limit its targeting to a particular region and has been observed targeting entities in North America, South America, Europe, and Australia. 

Cactus has recently gained momentum, with the threat actors behind the ransomware claiming several victims over the past few months. Some of the group’s recent victims include Swedish retailer COOP, Acutis, Intercity Investments, and Bell Group. 

Cactus claimed responsibility for an attack on Schneider Electric earlier this month. Schneider Electric is an energy and automation giant. The attack reportedly affected Schneider Electric’s Sustainability Business division. Several terabytes of corporate data were reportedly stolen, and Cactus is threatening to leak the data if the ransom is not paid.. While Schneider Electric has confirmed the ransomware attack, they did not provide details on which ransomware family was responsible for the attack.  

Industry researchers have assessed that the threat actors behind Cactus have a sophisticated understanding of evasion techniques and are efficient in their delivery and deployment of payloads on victim systems. 

IOCs

PolySwarm has multiple samples of Cactus.

 

C49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a

9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a

78c16de9fc07f1d0375a093903f86583a4e32037a7da8aa2f90ecb15c4862c17

D7429c7ecea552403d8e9b420578f954f5bf5407996afaa36db723a0c070c4de

5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371

69b6b447ce63c98acc9569fdcc3780ced1e22ebd50c5cad9ee1ea7a4d42e62cc

b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767b

 

You can use the following CLI command to search for all Cactus samples in our portal:

$ polyswarm link list -f Cactus

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 
hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.