Cybersecurity threats are multi-fold. Ransomware is a cybersecurity attack designed to encrypt the computer's file systems, and cybercriminals demand a ransom to provide the decryption key.
However, paying ransom to cyber criminals does not solve the problem. Modern CISOs/CIOs are overwhelmed by sophisticated ransomware attacks. Gone are the days of traditional ways of simple file encryption in ransomware attacks. Today's security analysts and leaders are brawling with the advanced cybercriminals that use custom-tailored and complex methods with criminal societies that control business operations.
Cactus ransomware is a sophisticated cyber attack. Since the discovery of cactus ransomware, it has taken the world by storm, causing a worldwide impact as a cybersecurity risk. It quickly escalated and gained a foothold in cybercrime.
A few impacts of the Black Basta ransomware are as follows:
- A total extortion amount of US$107 million in bitcoins was reported in 2023, and the threat group behind this was Black Basta.
- North America alone was mainly attacked by this incident, followed by Europe, accounting for 18 percent.
- The Black Basta ransomware hit the manufacturing, real estate, and construction industries hardest. It was linked to 28 out of 373 ransomware incidents reported in April 2024.
- Cybersecurity advisory jointly released by United States agencies, the FBI, CISA, HHS, and MS-ISAC highlighted that Black Basta, a ransomware in November 2024, hit 12 out of 16 critical sectors.
- A threat report by Kaspersky trumpeted that Black Basta ransomware was among the 12th most active ransomware families in 2023 and witnessed a significant increase in Q1 2024.
The key characteristic of cactus ransomware is double extortion. The threat actor does not provide the decryption key even after the ransom payment. They can exfiltrate the data by stealing it online. However, the threat actor behind the cactus ransomware is unclear; security defenders believe it has a source from a Malaysian hacktivist group.
A Look at the Cactus Attack Chains
Cactus ransomware isn't an average cyber threat—it's highly sophisticated. The threat group behind Cactus ransomware attacks uses a multi-stage attack process, combining social engineering (like fake Microsoft Teams messages), remote access tools, and custom-built malware implants to infiltrate systems and stay hidden.
Once it enters the target system, threat actors don't just lock up the files. They navigate through networks, escalate privileges, and maintain stealth, all while preparing for the final blow: encryption and extortion. Even if their encryption is blocked, as in a recent case, they still send threatening ransom notes via email—proof that they can adapt and carry out attacks from start to finish.
As an initial compromise, ransomware threat actors often exploit unpatched vulnerabilities in widely used software, such as VPN services, remote desktop protocols, or web applications, to gain initial access to the victim's network. Attackers may also use phishing emails or compromised legitimate websites to distribute malicious payloads. These emails often contain malicious attachments or link that, when opened, deploy the ransomware.
In the Establishing Persistence phase, once inside, the attackers deploy legitimate remote management tools or malicious implants like remote access trojans. These tools enable continuous access and help in evading detection. Attackers often dump credentials from the compromised system (via memory dumps or web browser credentials) to escalate privileges and spread within the network.
After gaining access to one machine, attackers often use network scanning tools to identify other vulnerable devices on the network as lateral movement. Network scanning allows them to move laterally across systems and access more high-value targets. Once vulnerabilities are identified, the ransomware can propagate through the network by exploiting SMB, RDP, or leveraging insecure protocols.
Data Exfiltration (Double Extortion)
Before file encryption, ransomware groups exfiltrate sensitive or valuable data to external locations (cloud storage, command-and-control servers). Advanced ransomware attacks use double extortion, in which cybercriminals put extra pressure on the victim to pay the ransom amount; otherwise, they can distribute the stolen data to public forums or the dark web.
A report by the ISA Global Cybersecurity Alliance (ISAGCA) highlighted that modern threat actors have evolved to use new attack propagation methods in the cybersecurity threat landscape, and double extortion ransomware is one of the sophisticated methods that have made headlines since 2020. The threat actor begins encrypting files on the compromised system.
Files are typically encrypted with strong encryption algorithms and renamed with a unique file extension, making recovery difficult without the decryption key. Some ransomware strains employ specific techniques like file fragmentation or buffer encryption to speed up the encryption process, making detection harder. A ransom note (often a text file or HTML page) is dropped on the infected system, demanding payment in cryptocurrency to decrypt the files. The note usually includes threats of permanent data loss or public exposure unless the ransom is paid.
Ransomware often uses techniques like code obfuscation or packing (e.g., UPX or custom packers) to evade detection by traditional security tools. Some ransomware is designed to detect if it's running in a sandbox environment, which security tools use to analyze malware. If it detects a sandbox, it may delay or halt its execution.
Security analysts can monitor sudden, unusual file extensions or file renaming patterns that can indicate encryption activity. To some extent, tracking suspicious network traffic for exfiltration or communication with external IPs can highlight ransomware activity. Detecting anomalous command executions, especially those associated with credential dumping, lateral movement tools, or remote access tools, can be a key indicator. The creation of ransom notes in directories or the appearance of files with unusual extensions indicates a ransomware attack. Ransomware often spikes system resource usage (e.g., CPU, disk IO) during encryption, so monitoring these metrics can help detect attacks.
Cactus's Tactics, Techniques, and Procedures (TTPs)
The group's activity matches many known techniques in the cybersecurity MITRE ATT&CK framework. Here's a simplified breakdown:
- Initial Access: Phishing (T1566.003), abuse of collaboration tools (T1199)
- Execution: Malicious file execution (.bpx archives) (T1204.002)
- Persistence: Registry modifications (T1547.001)
- Privilege Escalation: DLL sideloading (T1574.001)
- Defense Evasion: File masquerading (T1036.005), disabling firewalls (T1562.004)
- Lateral Movement: Using WinRM and SMB (T1021.002, T1021.006)
- Command & Control: Encrypted channels with BackConnect implants (T1071.001, T1571)
- Exfiltration: WinSCP file transfer (T1105)
- Impact: File encryption (T1486), ransom notes, and threats
Final Thoughts
To mitigate and respond to cactus ransomware attacks, once a cactus infection is detected, isolating the affected machines from the network is critical to prevent further spread. Having good, isolated, and up-to-date backups is essential for recovery. Regular backup ensures systems can be restored without paying the ransom. Post-attack, conducting forensic analysis can help determine the attack vector, affected systems, and scope of data exfiltration. Organizations must stay alert, monitor key indicators, and prioritize cyber security awareness and response planning to stay ahead of threats like Cactus.
Success in ransomware defense is not a question of deploying the most advanced tools; it’s about more comprehensively using the right tools effectively as part of the security strategy.