Threat Research

A Deep Dive into Cactus Ransomware

Securonix

Cactus ransomware, discovered in March 2023, uses a mutex to ensure a single active copy and persistence via a scheduled task named “Updates Check Task.” It encrypts files with AES (OpenSSL), stores the public RSA key encrypted inside the binary, and renames encrypted files with a .cts0 or .cts1 extension. #CactusRansomware #UpdatesCheckTask

Keypoints

  • Cactus ransomware uses a mutex to ensure only one instance runs at a time.
  • Persistence is achieved via a scheduled task called “Updates Check Task.”
  • It employs a hybrid cryptography scheme: AES for file data and RSA for key protection.
  • Ransomware encrypts files using AES256 in CBC mode and appends .cts0 or .cts1 extensions.
  • The sample is UPX-packed and hides certain artifacts (folders/files) via Windows APIs.
  • It performs extensive file discovery and target filtering, and deletes ntuser.dat after encryption.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The ransomware is packed with UPX. ‘The ransomware is packed with UPX.’
  • [T1053.005] Scheduled Task – The ransomware establishes persistence by creating the “Updates Check Task” scheduled task, which runs the malware with the “-r” parameter. ‘The ransomware establishes persistence by creating the “Updates Check Task” scheduled task, which runs the malware with the “-r” parameter.’
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – The above folder is hidden using the SetFileAttributesW API (0x12 = FILE_ATTRIBUTE_DIRECTORY | FILE_ATTRIBUTE_HIDDEN). ‘The above folder is hidden using the SetFileAttributesW API (0x12 = FILE_ATTRIBUTE_DIRECTORY | FILE_ATTRIBUTE_HIDDEN)’
  • [T1486] Data Encrypted for Impact – The algorithm used to encrypt the files is AES256 in CBC mode. ‘The algorithm used to encrypt the files is AES256 in CBC mode, as highlighted in the figure below.’
  • [T1083] File and Directory Discovery – The files are enumerated using the FindFirstFileW and FindNextFileW APIs. ‘The files are enumerated using the FindFirstFileW and FindNextFileW APIs:’
  • [T1070.004] Indicator Removal on Host: File Deletion – The binary deletes the ntuser.dat file found in the ProgramData directory if it exists. ‘The binary deletes the “ntuser.dat” file found in the ProgramData directory if it exists:’

Indicators of Compromise

  • [SHA256] Sample hash – 78C16DE9FC07F1D0375A093903F86583A4E32037A7DA8AA2F90ECB15C4862C17
  • [File] Ransom note – CaCtUs.ReAdMe.txt
  • [Mutex] Single-instance mutex – b4kr-xr7h-qcps-omu3cAcTuS
  • [File] Created/target files – C:ProgramDatantuser.dat, C:ProgramDatab4kr-xr7h-qcps-omu3.exe, C:ProgramDataupdate.log
  • [Scheduled Task] Updates Check Task

Read more: https://securityscorecard.com/research/deep-dive-into-cactus-ransomware/