The Cactus ransomware group, a rapidly evolving cybercriminal operation, has intensified its global campaign by targeting two new high-profile victims: KYB Americas, a U.S.-based automotive components manufacturer, and ASSA ABLOY, a Swedish security solutions conglomerate.
The group claims to have exfiltrated 1.8 TB of sensitive data from KYB and 229 GB from ASSA ABLOY, threatening to leak the information unless ransoms are paid.
These attacks align with Cactus’s modus operandi of exploiting vulnerabilities in public-facing applications, deploying double extortion tactics, and leveraging ties to other ransomware syndicates like Black Basta.
Technical Overview of Cactus Ransomware
Operational Tactics
Cactus employs a multi-layered attack chain, beginning with the exploitation of VPN vulnerabilities (e.g., CVE-2023-38035 in Fortinet devices).
After initial access, attackers establish persistence via SSH backdoors and Remote Monitoring and Management (RMM) tools like AnyDesk.
Network reconnaissance follows using tools such as SoftPerfect Network Scanner or PSNmap.ps1 to map IP addresses, user accounts, and active machines.
Encryption and Evasion
The ransomware uses AES-256 (CBC mode) and RSA-4096 encryption, appending the .cts1 or .cts7 extension to encrypted files.
To evade detection, Cactus encrypts its payload and deploys batch scripts to uninstall antivirus software via msiexec.
Double Extortion
Cactus exfiltrates data using Rclone before encryption, threatening to leak it on their dark web portal. Ransom notes (cAcTuS.readme.txt) demand payment in exchange for decryption keys and data suppression.
Links to Black Basta and Shared Infrastructure
Recent analyses by Trend Micro and Sophos reveal overlaps between Cactus and the Black Basta ransomware group, including:
- Shared BackConnect Malware: Both groups use this module for persistent remote access, credential theft, and lateral movement.
- Social Engineering: Attackers flood email inboxes, then pose as IT support to trick victims into granting remote access via Microsoft Teams or Quick Assist.
- Legitimate Tool Abuse: WinSCP and OneDriveStandaloneUpdater.exe are weaponized to deploy malicious payloads.
Black Basta, which extorted $107 million in 2023, has seen members migrate to Cactus, evidenced by identical Tactics, Techniques, and Procedures (TTPs).
Mitigation Strategies
Organizations can defend against Cactus by:
- Patching VPN Appliances: Prioritize updates for Fortinet, Ivanti, and Qlik Sense vulnerabilities.
- Enforcing MFA: Mitigate credential theft from LSASS memory dumps.
- Monitoring RMM Tools: Restrict unauthorized use of AnyDesk or Splashtop.
- Blocking Malicious IPs: Identify and blacklist C2 servers linked to BackConnect.
Rising Threat Landscape
Cactus has targeted over 100 entities since 2023, including Schneider Electric and the Los Angeles Housing Authority.
With affiliates now adopting Black Basta’s infrastructure, its global reach and impact continue to grow.
Also Read:
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The group claims to have exfiltrated 1.8 TB of sensitive data from KYB and 229 GB from ASSA ABLOY, threatening to leak the information unless ransoms are paid.){kind=link}