What is the Cactus ransomware?
Cactus is a ransomware-as-a-service (RaaS) group that encrypts sufferer’s knowledge and calls for a ransom for a decryption key.
Hundreds of organisations have discovered themselves the sufferer of Cactus because it was first found in March 2023, with their stolen knowledge revealed on the darkish net as an “incentive” to provide in to the extortionists’ calls for.
So far, so sadly regular. What makes Cactus totally different?
Cactus made a reputation for itself by exploiting vulnerabilities in VPN home equipment to achieve entry to company networks and encrypting its personal code in an try to keep away from detection by anti-virus merchandise.
More just lately researchers have uncovered attainable connections between Cactus and the Black Basta ransomware group.
Both Cactus and the Black Basta have made use of the BackConnect module, a sort of malware utilized by hackers to achieve and keep persistent management over compromised methods, suggesting an overlap between the 2 gangs.
Researchers have noticed Cactus ransomware attackers utilizing BackConnect to steal delicate knowledge comparable to login credentials, monetary knowledge, and private data. In addition, analysis launched by Trend Micro reveals that each Cactus and Black Basta have used the identical social engineering trick of flooding employees’ electronic mail inboxes with 1000’s of emails.
The hackers would then make a voice name to the consumer struggling the e-mail bombardment, claiming to work for the corporate’s IT helpdesk, and providing to resolve the issue.
The consumer is then socially engineered into agreeing to grant the hacker distant entry to their laptop, permitting the attacker to run malicious code.
Nasty. How will I do know if my computer systems have been hit by Cactus ransomware?
Once Cactus has contaminated a PC, it’ll try to uninstall anti-virus software program, hunt for potential targets for an infection, and use quite a lot of strategies to steal data and information earlier than they’re encrypted.
After information have been exfiltrated and encrypted, a ransom notice is posted on the sufferer’s laptop with the filename “cAcTuS.readme.txt”
Encrypted information could be recognized simply as their extensions can have been modified to .cts1 or .cts7.
Who has fallen sufferer to the Cactus ransomware?
Victims of the Cactus ransomware previously have included vitality administration and automation big Schneider Electric, and the Housing Authority of the City of Los Angeles (HACLA).
The Black Basta ransomware group has impacted a variety of organisations, with the FBI warning final yr about the risk it posed to hospitals after some have been compelled to show away ambulances following an assault.
So how can my firm shield itself from Cactus?
The finest recommendation is to comply with the suggestions on learn how to shield your organisation from different ransomware. Those embody:
- Making safe offsite backups.
- Running up-to-date safety options and making certain that your computer systems and community gadgets are correctly configured and guarded with the newest safety patches towards vulnerabilities.
- Using hard-to-crack distinctive passwords to guard delicate knowledge and accounts, in addition to enabling multi-factor authentication.
- Encrypting delicate knowledge wherever attainable.
- Reducing the assault floor by disabling performance that your organization doesn’t want.
- Educating and informing employees in regards to the dangers and strategies utilized by cybercriminals to launch assaults and steal knowledge.
Editor’s Note: The opinions expressed on this and different visitor writer articles are solely these of the contributor and don’t essentially replicate these of Tripwire.