The main characteristics of ransomware
Posted: Wed Dec 18, 2024 5:15 am
The attack's naming comes from the name of the file provided within the ransom note, cAcTuS.readme.txt .
The history of Cactus saudi number finder is very recent. In fact, it is a threat that has been active since March 2023. The attack exploits vulnerabilities related to Fortinet VPN appliances, with the aim of permeating the networks of large commercial entities.
In all cases observed by Kroll, the attacker gained access to the VPN service and used an SSH backdoor that he can then reach from a command and control (C2) server to maintain control of the devices. Interestingly, once inside the network, the cybercriminal scouts using SoftPerfect Network Scanner (netscan) to identify the most attractive target.
Another particular feature of Cactus is the use of encryption to protect the specific code of this ransomware. Two systems are therefore exploited: the 7Zip archive and the batch script, with the latter using msiexec to deactivate the protection of antivirus software , thus being able to act freely to steal data. For this purpose, Cactus uses Rclone, which allows file transfer to the cloud.
According to Kroll experts, the encryption used by Cactus is unique in the context of ransomware.
How does Cactus ransomware spread?
We have touched on the methods used by Cactus to spread. Now we will delve into them in detail. Following the intrusion into the network, the hackers' compass moves towards identifying the weakest accounts and endpoints . How? By running PowerShell commands and pinging remote hosts, which give the possibility of scanning the network and identifying the easiest endpoints and accounts to encrypt.
The next step is to generate new accounts and use scripts that allow the ransomware to be spread in a sneaky and persistent manner through specific programmed actions. This procedure allows the information and data belonging to the victim to be encrypted, so as to request the payment of a ransom in order to obtain the release of the file.
The history of Cactus saudi number finder is very recent. In fact, it is a threat that has been active since March 2023. The attack exploits vulnerabilities related to Fortinet VPN appliances, with the aim of permeating the networks of large commercial entities.
In all cases observed by Kroll, the attacker gained access to the VPN service and used an SSH backdoor that he can then reach from a command and control (C2) server to maintain control of the devices. Interestingly, once inside the network, the cybercriminal scouts using SoftPerfect Network Scanner (netscan) to identify the most attractive target.
Another particular feature of Cactus is the use of encryption to protect the specific code of this ransomware. Two systems are therefore exploited: the 7Zip archive and the batch script, with the latter using msiexec to deactivate the protection of antivirus software , thus being able to act freely to steal data. For this purpose, Cactus uses Rclone, which allows file transfer to the cloud.
According to Kroll experts, the encryption used by Cactus is unique in the context of ransomware.
How does Cactus ransomware spread?
We have touched on the methods used by Cactus to spread. Now we will delve into them in detail. Following the intrusion into the network, the hackers' compass moves towards identifying the weakest accounts and endpoints . How? By running PowerShell commands and pinging remote hosts, which give the possibility of scanning the network and identifying the easiest endpoints and accounts to encrypt.
The next step is to generate new accounts and use scripts that allow the ransomware to be spread in a sneaky and persistent manner through specific programmed actions. This procedure allows the information and data belonging to the victim to be encrypted, so as to request the payment of a ransom in order to obtain the release of the file.