Highlights:

  • The ransomware binary is protected by encryption, which sets Cactus apart from other operations. The actor downloads the encryptor binary with 7-Zip using a batch script.
  • The ransomware, known as “Cactus,” was found by security researchers at Kroll LLC and is thought to have been used for the first time in March.

An innovative ransomware group that targets vulnerabilities in virtual private network appliances has been discovered. The ransomware encrypts itself to evade detection by security software.

The ransomware, known as “Cactus,” was found by security researchers at Kroll LLC and is thought to have been used for the first time in March. Before starting work, the ransomware targets are existing vulnerabilities in Fortinet Inc. VPN appliances for gaining access to large corporations.

Although Cactus follows the typical ransomware procedures—spreading through a targeted network, stealing, and encrypting files—its obfuscation technique sets it apart from other ransomware that has come before it.

Catcus protects the ransomware binary with encryption, according to a report published by Bleeping Computer. The Cactus developers use a batch script to bypass antivirus software and other security measures to download the encryptor binary using 7-Zip. After that, the binary is deployed with a specific flag that permits it to run, and the original ZIP archive is deleted.

However, Cactus continues to make efforts to blend in. The ransomware also uses a batch script to delete the most popular antivirus programs.

Cactus has not established a leak site, although the group steals information from the affected victims and transfers it using the Rclonbe tool. Contrary to how ransomware operators typically direct victims, the Cactus ransom note asks victims to connect with them by email or a chat service for requesting to recover their files and prevent data disclosure.

Executive Vice President of BullWall Ltd., a ransomware containment company, Steve Hahn, said to a media house, “This is yet another way for ransomware to completely evade the endpoint security tools such as antivirus and endpoint detection and response and highlights just how easy it is for the threat actors to kick off a ransomware attack despite the most sophisticated detection tools on the planet. Every year, ransomware completely takes down thousands of enterprises. In each such event, the impacted companies invested heavily in prevention tools and were given guarantees such as ‘completely effective against ransomware.’”

Hahn continued that every ransomware incident discovered a way to turn off or avoid using those tools. “It’s simply a matter of time before any business is hit, loses their infrastructure for weeks and critical data permanently.”