Cactus Ransomware Group Publishes Two New Victims on Dark Web Portal

The Cactus ransomware group has intensified its extortion campaign by targeting two new U.S.-based organizations: industrial equipment supplier Bishop Lifting and managed services provider BluEdge.

This development underscores the group’s persistent exploitation of network vulnerabilities and its growing proficiency in double extortion tactics.

Both victims now appear on Cactus’ dark web leak site, with BluEdge’s breach involving approximately 994GB of sensitive data, including financial records, customer information, and project files.

Notably, Bishop Lifting had previously suffered a CL0P ransomware attack in October 2024, highlighting its recurrent susceptibility to cyber threats.

Technical Modus Operandi of Cactus Ransomware

According to the post from FalconFeeds.io, Cactus ransomware, active since March 2023, employs a multi-layered attack strategy.

Initial access is typically achieved by exploiting vulnerabilities in public-facing applications, particularly Fortinet VPN appliances (CVE-2023-38035).

Once inside the network, attackers deploy SSH backdoors for command-and-control (C2) persistence and leverage tools like SoftPerfect Network Scanner or custom PowerShell scripts (PSnmap.ps1) to map the environment.

Remote Monitoring and Management (RMM) software such as AnyDesk and Splashtop are then installed to maintain access.

The ransomware binary, encrypted using OpenSSL libraries, evades detection by storing decryption keys in the C:\ProgramData\ntuser.dat file.

During execution, Cactus terminates critical services—including backup utilities like Veeam and SQL processes—and deletes Volume Shadow Copies to inhibit recovery.

Files larger than 7.7MB undergo partial encryption via AES-256 CBC with a randomly generated key, while smaller files are fully encrypted.

The AES key is then encrypted using a 4096-bit RSA public key, rendering decryption infeasible without the attackers’ private key.

Encrypted files are appended with the .cts<numeric> extension, and ransom notes C.A.c_T.U-S-R.e-a_D.m-e are distributed across directories.

BluEdge Breach: A Case Study in Data Exposure

BluEdge, a managed print and document services provider, suffered a significant breach involving 994GB of exfiltrated data.

The compromised information includes database backups, payroll records, financial documents, and proprietary project blueprints.

Such data exposure not only jeopardizes client confidentiality but also provides attackers with leverage for secondary extortion.

Cactus’ leak site claims to have published less than 1% of the stolen data, a common pressure tactic to coerce ransom payments.

Bishop Lifting: Recurring Vulnerabilities Exploited

Bishop Lifting’s reappearance on a ransomware leak site—this time under Cactus—follows its October 2024 breach by the CL0P group.

CL0P, linked to Russian cybercriminal collective TA505, had exploited a SQL injection vulnerability (CVE-2023-34362) in Progress Software’s MOVEit platform during its earlier attack.

The repeated targeting suggests unaddressed security gaps, potentially including insufficient patch management or network segmentation.

Implications and Mitigation Strategies

Cactus’ operational sophistication mirrors trends observed in ransomware-as-a-service (RaaS) ecosystems, where affiliates exploit standardized attack playbooks for rapid deployment.

Organizations are urged to:

• Patch VPN Appliances: Prioritize remediation of vulnerabilities in Fortinet, Qlik Sense, and other public-facing systems.
• Monitor RMM Tool Usage: Detect anomalous installations of AnyDesk or Splashtop, which often precede ransomware payloads.
• Enforce Multi-Factor Authentication (MFA): Mitigate credential theft risks, particularly for Remote Desktop Protocol (RDP) access.
• Segment Networks: Limit lateral movement by isolating critical systems from general corporate networks.

The Schneiderman Institute of Cybersecurity emphasizes that “proactive threat hunting and immutable backups remain the most effective defenses against evolving ransomware tactics”.

As Cactus continues to refine its encryption and evasion techniques, organizations must adopt a zero-trust architecture to counter these persistent threats.

Also Read:

PLAY Ransomware Group Lists Two New Victims on Dark Web Portal

See more