CIO Influence
CIO Influence News Security

Cactus: Defending Against a Ransomware Newcomer

Cactus: Defending Against a Ransomware Newcomer

Logpoint has analyzed Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) to establish defenses

Cactus has emerged as a sophisticated ransomware group with a severe impact on its victims. The newcomer first appeared in March 2023 and has entered the top 10 groups with the most monthly victims, ranking at number 7 with 58 victims as of November. The group is focusing on substantial payouts and targets large commercial entities.

PREDICTIONS SERIES 2024 - CIO Influence

“Cactus is a good example of ransomware groups employing increasingly sophisticated TTPs in their attacks. What stands out in this case is that the malware encrypts itself to evade detection,” says Bibek Thapa Magar, Logpoint Security Analytics Engineer. “The smooth way of avoiding defenses shows that the group is good at the game. Cactus has quickly made a significant impact, using double extortion, compromising sensitive data, and leaving victims with limited choices.”

CIO INFLUENCE News: ConnectWise RMM Evolves to Unified Monitoring and Management Solution

Cactus is a sophisticated ransomware with unique features such as auto-encryption and a consecutive change of file extensions post-encryption, making it more challenging to identify affected files. It employs the well-known and easily “unpackable” UPX packer and divides encrypted files into micro-buffers, possibly to speed up the management of encrypted data streams.

Logpoint has collated a report highlighting the TTPs and IoCs applied by Cactus to create alert rules to detect methods the group uses. According to Kroll, Cactus exploits known vulnerabilities in VPN appliances to gain initial access and establishes commands and control with SSH. The group attempts to dump LSASS and credentials from web browsers to escalate privilege. Ultimately, Cactus gets access to target computers using Splashtop or AnyDesk and creates a proxy between infected hosts using Chisel before encrypting files.

CIO INFLUENCE News: Big Cloud Consultants Designated Modern Work Solutions Partner by the Microsoft Corporation

“Cactus is a good reminder that basic cyber hygiene is important, but it also highlights that monitoring and detection is key to protecting against newer ransomware,” says Bibek Thapa Magar. “If activity is detected, security analysts should investigate and make sure it doesn’t spread by disabling virtual private networks (VPNs), remote access servers, single sign-on resources, and public-facing assets before engaging in containment, eradication, and recovery to minimize the impact.”

Logpoint’s security operations platform, Converged SIEM, contains extensive tools and capabilities for identifying, evaluating, and mitigating the impact of Cactus Ransomware. In addition to an alert rule package to help detect Cactus activity, Logpoint offers capabilities enabling security teams to automate essential incident response procedures.

CIO INFLUENCE News: Cisco Launches New Research, Highlighting Seismic Gap in Companies’ Preparedness for AI

[To share your insights with us, please write to sghosh@martechseries.com]

Related posts

Delphix Increases Corporate Commitment to Environmental Sustainability

SourceCode Labs Expand to Accelerate Co-Design Strategy

PR Newswire

Enfusion Names Oleg Movchan as Chief Executive Officer

CIO Influence News Desk