CACTUS Ransomware Utilizes VPN Vulnerabilities to Breach Networks

New Ransomware Puts VPNs’ at Risk

This new ransomware strain targets VPNs’ appliances to obtain initial access to targeted networks. Upon infiltrating the network, CACTUS perpetrators conduct an enumeration of the available local and network user accounts, as well as the reachable endpoints. They then proceed to create new user accounts and utilize custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks.

CACTUS has been targeting large commercial entities since March 2023, using double extortion tactics. Though no data leak site has been confirmed it does not mean one has not happened.

After the initial foothold, the infection chain will span three to five days at most, then you will be held hostage and extorted. This ransomware encrypts itself making it hard to discover in your systems.

CACTUS is believed to infiltrate networks through vulnerable public-facing websites and servers, highlighting the importance of keeping systems up-to-date and implementing the principle of least privilege to prevent such attacks.

At Britec, we stay on the pulse of information security and all our clients are patched and protected. If you have been impacted and need help, please contact us.