Keypoints:
- Indonesia is among the countries experiencing ransomware incidents, accounting for 0.7% of global cases, indicating its susceptibility to sophisticated groups like Cactus.
- Cactus ransomware employs a multi-stage attack, including social engineering via email and Microsoft Teams, DLL sideloading, and custom backconnect C2 implants for stealthy operations.
- The group abuses legitimate tools like OneDrive and WinSCP to evade detection and facilitate lateral movement and data exfiltration.
- Although encryption was prevented in a recent incident, Cactus demonstrated readiness to complete the ransomware deployment phase.
- Indicators of compromise include specific file names, registry keys, C2 IP addresses, and the use of the domain pumpkinrab.com.
What the Indonesian Government and Related Institutions Should Do:
- Issue specific warnings about the social engineering tactics used by Cactus, particularly those involving Microsoft Teams impersonation and malicious file downloads disguised as legitimate software.
- Enhance monitoring for the IOCs associated with Cactus ransomware, including the identified registry key, C2 IP addresses, and network traffic to pumpkinrab.com, across government networks.
- Implement stricter controls on external communication channels like Microsoft Teams and consider disabling Quick Assist by default on government-issued devices if not strictly necessary.
What Indonesian Citizens Should Know and Do:
- Be highly suspicious of unsolicited messages or requests for remote assistance via Microsoft Teams, even if they appear to come from familiar contacts, and independently verify such requests through alternative channels.
- Exercise extreme caution when opening email attachments or downloading files, especially those with unusual extensions like “.bpx” or archives containing DLL files, even if they masquerade as legitimate applications like OneDrive.
Read More..
https://redpiranha.net/news/threat-intelligence-report-march-4-march-10-2025