Cactus is a ransomware strain discovered in March 2023 known for having compromised more than 140 entities as of July 2024.

Cactus typically obtains access to corporate networks by exploiting vulnerabilities in externally facing Virtual Private Network (VPN) software. Once access is secured, the ransomware establishes Command and Control (C2) communications with its operator via Secure Shell (SSH).

Cactus employs double extortion tactics in which, in addition to encrypting information done through RSA 2096 and AES-256 CBC, it also tries to exfiltrate it. In this way, the operator pressures victims by releasing personal information about the victim organization’s employees; this has included driver’s licenses, passports, photos, and other personal identification if they refuse to pay the ransom.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against baseline behaviors associated with the Cactus ransomware.
• Assess their security posture against an opportunistic adversary, which does not discriminate when it comes to selecting its targets.
• Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

Cactus Ransomware – 2024-01 – Associated Tactics, Techniques, and Procedures (TTPs)

Since March 2023, the Cactus Ransomware has been observed carrying out extortion attacks against a wide variety of organizations. By October 2023, Cactus had only 5 disclosures posted on its dedicated leak site (DLS) but over the next month had a steady increase to the publication of 10 victims. By December 2023, a drastic increase was observed with the addition of +30 victims. As of April 2024, Cactus had compromised over 100 entities worldwide.

This attack graph seeks to emulate the sequence of behaviors associated with the deployment of Cactus ransomware on a compromised system with the intent of providing customers with opportunities to prevent and/or detect a compromise in progress.

The assessment template is based on behaviors reported by Trellix on July 11, 2024, ShadowStackRE on January 22, 2024, and SecurityScorecard on October 20, 2023.

Initial Access & Persistence – Securing Access

This stage begins immediately after the exploitation of known vulnerabilities in public-facing applications for initial access. Once access is granted, a scheduled task is created to ensure the persistence of Secure Shell (SSH) communications between the compromised system and external infrastructure.

Then, information about user access to the system is obtained by collecting Windows Event ID 4624 logs. Finally, a new account is created and immediately added to the local Administrators group.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario acquires persistence through the creation of a new scheduled task using the schtasks utility.

Remote Services: SSH (T1021.004): This scenario will initiate an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.

Log Enumeration (T1654): This scenario executes the PowerShell cmdlet Get-EventLog to gather log entries for event ID 4624 which provides information regarding users that have logged into the system.

Create Account: Local Account (T1136.001): This scenario creates a new account with the name AdmInBac using the net user command.

Account Manipulation (T1098): This scenario adds a local user to a local group using the net localgroup command.

Execution – Payload Staging and Deployment

This stage performs the staging of a support batch file named f2.bat, which is then added to a registry RunOnce key to ensure its persistence. Then, an encoded PowerShell command is executed with the “-ex bypass” and “-nop” flags.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario sets the HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce registry key that Windows uses to identify what applications should be run at system startup.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell's -encodedCommand parameter.

Impact – Ransomware Deployment and Encryption

This stage begins with the deployment of Cactus Ransomware, which will attempt to conceal the directory in which the executable is located once executed.

Subsequently, Cactus will seek to list all active processes, through API calls, prior to the removal of Volume Shadow Copies using vssadmin.exe.

After this, Cactus will look to discover, also through API calls, disks, directories, and files available for encryption, which will be done through a combination of RSA and AES in CBC mode.

Hide Artifacts: Hidden Files and Directories (T1564.001): This scenario hides files in the filesystem through the execution of a batch script. Enabling the hidden attribute is an attempt to prevent malicious files from being detected by defenders.

Process Discovery (T1057): The Windows API is used to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.

Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.

Peripheral Device Discovery (T1120): This scenario retrieves information about the system’s physical disks using the GetLogicalDriveStringsW and GetDriveTypeW API calls.

File and Directory Discovery (T1083): This scenario will call the FindFirstFileW and FindNextFileW Windows API to perform the enumeration of the file system.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by Cactus ransomware.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following scenario to extend the emulation of the capabilities exhibited by Cactus ransomware.

Lateral Movement Through PAExec: This scenario is meant to move laterally within a network using PAExec (an open-source version of PSExec). The actions performed in this scenario are remote login against specified machines using given credentials and executing the hostname command on the remote system.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

2. Scheduled Task/Job: Scheduled Task (T1053.005):

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

2a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task.

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Scheduled Task

3. Data Encrypted for Impact (T1486):

Preventing systems and files from being encrypted should be a top priority. Ensuring that you have layered endpoint defenses including Antivirus and EDR solutions is critical.

3a. Detection

Ransomware attacks are best prevented and alerted by your EDR/AV Policies. Typically, a configuration for ransomware protection is presented and we strongly encourage that it is enabled in your security controls.

There are three telling signs of ransomware activity in an environment that you could query for and possibly make preventative detections if your security controls allow. Those three are deletion of shadow volumes, suspicious amounts of exfiltrated data, and of course, wide set file encryption.

Detecting deletion of shadow volumes is usually the first step that occurs and can be detected by looking at command line activity:

Via vssadmin.exe:

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

Via PowerShell:

Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”

Detecting suspicious Data Exfiltration: Detecting exfiltration is well suited for IDS/IPS and DLP solutions. These products should be configured to identify sensitive files. If sensitive files, or a large amount of web traffic is sent to a rare external IP, it should be detected or prevented depending on security policies for the security control. Historical NetFlow data logging can also bubble up hosts that are experience uncommon peaks in outgoing traffic.

Detecting Ransomware-like File Encryption: Utilizing an EDR or SIEM/SOAR product can help detect and prevent suspicious file encryption related to ransomware attacks. Utilizing these tools to look for excessive file modifications (greater than 1000 on a system) within less than a minute of time is a good starting indicator.

To increase the fidelity a bit, you could include file modification of file extensions to popular ransomware extensions such as .conti, .Locky, .Ryuk, etc. If possible, with a SOAR or preventative EDR platform, we recommend setting these detections to kill all processes involved in creating the alert as it will most likely stop the spread of the Ransomware.

3b. Mitigation

MITRE ATT&CK Recommends the following mitigations:

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the activities carried out by Cactus ransomware operators. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.